276a5903dbc07e0200bb6206fb03ea67e8d8a05056426d920a781a12e0a90ac8

Analysis

max time kernel
119s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
30/04/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Renames multiple (237) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Deletes itself 1 IoCs

pid	Process
4992	Winhost.exe

Executes dropped EXE 64 IoCs

pid	Process
4992	Winhost.exe
2436	Winhost.exe
2096	Winhost.exe
2176	Winhost.exe
2796	Winhost.exe
1952	Winhost.exe
5064	Winhost.exe
4288	Winhost.exe
5036	Winhost.exe
3164	Winhost.exe
4928	Winhost.exe
3052	Winhost.exe
1108	Winhost.exe
3520	Winhost.exe
3144	Winhost.exe
800	Winhost.exe
4984	Winhost.exe
4780	Winhost.exe
3540	Winhost.exe
5032	Winhost.exe
1324	Winhost.exe
4452	Winhost.exe
1956	Winhost.exe
1688	Winhost.exe
3652	Winhost.exe
3520	Winhost.exe
3340	Winhost.exe
436	Winhost.exe
3904	Winhost.exe
3092	Winhost.exe
2416	Winhost.exe
2792	Winhost.exe
2776	Winhost.exe
3324	Winhost.exe
4836	Winhost.exe
2216	Winhost.exe
4624	Winhost.exe
2336	Winhost.exe
2400	Winhost.exe
3012	Winhost.exe
756	Winhost.exe
1952	Winhost.exe
432	Winhost.exe
3680	Winhost.exe
4952	Winhost.exe
2632	Winhost.exe
1376	Winhost.exe
1968	Winhost.exe
4836	Winhost.exe
2340	Winhost.exe
2256	Winhost.exe
5012	Winhost.exe
2716	Winhost.exe
3108	Winhost.exe
2252	Winhost.exe
3636	Winhost.exe
764	Winhost.exe
4384	Winhost.exe
3372	Winhost.exe
716	Winhost.exe
884	Winhost.exe
4940	Winhost.exe
936	Winhost.exe
4808	Winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Winhost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	attrib.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\System32\Seven.dll	cmd.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	powershell.exe
5036	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 5036	2472	Seven.exe	81
PID 2472 wrote to memory of 5036	2472	Seven.exe	81
PID 2472 wrote to memory of 2700	2472	Seven.exe	83
PID 2472 wrote to memory of 2700	2472	Seven.exe	83
PID 2472 wrote to memory of 3940	2472	Seven.exe	84
PID 2472 wrote to memory of 3940	2472	Seven.exe	84
PID 2472 wrote to memory of 3528	2472	Seven.exe	85
PID 2472 wrote to memory of 3528	2472	Seven.exe	85
PID 2472 wrote to memory of 4884	2472	Seven.exe	86
PID 2472 wrote to memory of 4884	2472	Seven.exe	86
PID 2472 wrote to memory of 3060	2472	Seven.exe	87
PID 2472 wrote to memory of 3060	2472	Seven.exe	87
PID 2472 wrote to memory of 2824	2472	Seven.exe	88
PID 2472 wrote to memory of 2824	2472	Seven.exe	88
PID 2472 wrote to memory of 4880	2472	Seven.exe	89
PID 2472 wrote to memory of 4880	2472	Seven.exe	89
PID 2472 wrote to memory of 896	2472	Seven.exe	90
PID 2472 wrote to memory of 896	2472	Seven.exe	90
PID 2472 wrote to memory of 3184	2472	Seven.exe	91
PID 2472 wrote to memory of 3184	2472	Seven.exe	91
PID 2472 wrote to memory of 3744	2472	Seven.exe	92
PID 2472 wrote to memory of 3744	2472	Seven.exe	92
PID 2472 wrote to memory of 3020	2472	Seven.exe	93
PID 2472 wrote to memory of 3020	2472	Seven.exe	93
PID 2472 wrote to memory of 2448	2472	Seven.exe	94
PID 2472 wrote to memory of 2448	2472	Seven.exe	94
PID 2472 wrote to memory of 3004	2472	Seven.exe	95
PID 2472 wrote to memory of 3004	2472	Seven.exe	95
PID 2472 wrote to memory of 412	2472	Seven.exe	96
PID 2472 wrote to memory of 412	2472	Seven.exe	96
PID 4884 wrote to memory of 4384	4884	cmd.exe	97
PID 4884 wrote to memory of 4384	4884	cmd.exe	97
PID 412 wrote to memory of 4992	412	cmd.exe	98
PID 412 wrote to memory of 4992	412	cmd.exe	98
PID 3020 wrote to memory of 2864	3020	cmd.exe	99
PID 3020 wrote to memory of 2864	3020	cmd.exe	99
PID 3744 wrote to memory of 4708	3744	cmd.exe	100
PID 3744 wrote to memory of 4708	3744	cmd.exe	100
PID 2448 wrote to memory of 3816	2448	cmd.exe	101
PID 2448 wrote to memory of 3816	2448	cmd.exe	101
PID 3060 wrote to memory of 3636	3060	cmd.exe	102
PID 3060 wrote to memory of 3636	3060	cmd.exe	102
PID 3004 wrote to memory of 4832	3004	cmd.exe	104
PID 3004 wrote to memory of 4832	3004	cmd.exe	104
PID 4992 wrote to memory of 2436	4992	Winhost.exe	106
PID 4992 wrote to memory of 2436	4992	Winhost.exe	106
PID 2436 wrote to memory of 2096	2436	Winhost.exe	109
PID 2436 wrote to memory of 2096	2436	Winhost.exe	109
PID 2096 wrote to memory of 2176	2096	Winhost.exe	111
PID 2096 wrote to memory of 2176	2096	Winhost.exe	111
PID 2176 wrote to memory of 2796	2176	Winhost.exe	113
PID 2176 wrote to memory of 2796	2176	Winhost.exe	113
PID 2796 wrote to memory of 1952	2796	Winhost.exe	115
PID 2796 wrote to memory of 1952	2796	Winhost.exe	115
PID 1952 wrote to memory of 5064	1952	Winhost.exe	117
PID 1952 wrote to memory of 5064	1952	Winhost.exe	117
PID 5064 wrote to memory of 4288	5064	Winhost.exe	119
PID 5064 wrote to memory of 4288	5064	Winhost.exe	119
PID 4288 wrote to memory of 5036	4288	Winhost.exe	121
PID 4288 wrote to memory of 5036	4288	Winhost.exe	121
PID 5036 wrote to memory of 3164	5036	Winhost.exe	123
PID 5036 wrote to memory of 3164	5036	Winhost.exe	123
PID 3164 wrote to memory of 4928	3164	Winhost.exe	125
PID 3164 wrote to memory of 4928	3164	Winhost.exe	125

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4832	attrib.exe
3636	attrib.exe
3816	attrib.exe
4708	attrib.exe
2864	attrib.exe
4384	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:2700
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:3940
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe
  2⤵
  PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:4384
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:3636
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  - Drops file in System32 directory
  PID:2824
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll
  2⤵
  PID:4880
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:896
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  PID:3184
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4708
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2864
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:3816
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:4832
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        13⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        14⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        15⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        16⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        17⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        18⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        19⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        20⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        21⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        22⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        23⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        24⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        25⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        26⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        27⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        28⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        29⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        30⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        31⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        32⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        33⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        34⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        35⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        36⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        37⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        38⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        39⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        40⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        41⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        42⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        43⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        44⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        45⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        46⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        47⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        48⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        49⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        50⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        51⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        52⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        53⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        54⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        55⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        56⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        57⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        58⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        59⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        60⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        61⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        62⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        63⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        64⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        65⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        66⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        67⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        68⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        69⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        70⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        71⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        72⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        73⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        74⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        75⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        76⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        77⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        78⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        79⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        80⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        81⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        82⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        83⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        84⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        85⤵
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        86⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        87⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        88⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        89⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        90⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        91⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        92⤵
        
        PID:1532

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4624
- C:\Windows\System32\Winhost.exe
  "C:\Windows\System32\Winhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2400
- - C:\Windows\System32\Winhost.exe
    "C:\Windows\System32\Winhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:756
  - - C:\Windows\System32\Winhost.exe
      "C:\Windows\System32\Winhost.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:432
    - - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
      - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        15⤵
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        16⤵
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        17⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        18⤵
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        19⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        20⤵
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        21⤵
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        22⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        23⤵
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        24⤵
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        25⤵
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        26⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        27⤵
        
        PID:424
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        28⤵
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        29⤵
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        30⤵
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        31⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        32⤵
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        33⤵
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        34⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        35⤵
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        36⤵
        
        PID:4852
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        37⤵
        
        PID:4984
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        38⤵
        
        PID:1648
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        39⤵
        
        PID:404
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        40⤵
        
        PID:2672
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        41⤵
        
        PID:3548
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        42⤵
        
        PID:2096
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        43⤵
        
        PID:1036
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        44⤵
        
        PID:3788
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        45⤵
        
        PID:4780
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        46⤵
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2348
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        47⤵
        
        PID:4636
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        48⤵
        
        PID:4904
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        49⤵
        
        PID:2292
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        50⤵
        
        PID:3544
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        51⤵
        
        PID:356
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        52⤵
        
        PID:2372
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        53⤵
        
        PID:884
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        54⤵
        
        PID:3044
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        55⤵
        
        PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
147B

MD5
4e82fb727658d69a3fa7120ba4c9bc09

SHA1
09165c53f734f7dde320ed5a3b1fba533e50da61

SHA256
fdeb3daafef7986637244dea75ee798c7af76018d205e564fb3af7875b29501d

SHA512
97eeec22fff39ba41102ef3150db86928dca07132e42b471d07aef44c63840ca24f8921dfb49dd51913b56303504ada9d065c649219cc10b6df08056b13d71a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
64B

MD5
0ac10341e3bc2f48e66801aec2a3a829

SHA1
2db23967a37a04224c04c7cca66f26d092bc818f

SHA256
3cfba8a6e7007eb143b3948b9215241cfcf04b372587001a8fbf743c93f121c2

SHA512
da0de45d452947bfbf036815d6d01abb80bc31df301f6d56852c9b7b5c0fd06cb0c87df414e7deb1452bd6083f25178820187ef7b491c16595611ee3f3861948

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
64B

MD5
f9f0d6836e92cbf8e72f5bf6bb0edbf1

SHA1
5c3c1ee9cff7a595924adefb205f004d87d7709b

SHA256
f0538fe96d8a1dc5b1de8e7041af39594638414f82106c5a2df652e841f79ed9

SHA512
e8c4c1dda76e74bcdb02f01cfcefd81075921b3e2145373d1fe7dfdcba5a8b49c898c24ae9197566f9a41b81563cd8c6430e74749119513321820d13f6b55f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
829ace41ca5eb60145f6784a13f20012

SHA1
9c19b59e7edce86832a8b8c6cdec99853f445ff6

SHA256
8720fd242a503aaef4c443b404bd25c64d0b64e2691cd1d46be2edf010d28761

SHA512
c097b785c10ef82475020625e216048a9cd81aa309cb3c368c575af8f3ddb5c98350fead0feb3b56cd92dc6a5174e0f21f62eea80cd94b9dbf829a655c196b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
388741b65f9a9ec761278d668183cbf2

SHA1
caa7f6fd100049908617661c72f2b9cac0ba10ad

SHA256
3eb6d2e55e88c94f2f5ba25ce5316f893ebf478c444366854b58a7eba4d2f351

SHA512
8fdc120a373c04884383a1f68ae8644ad92163bb3e0df32ea1c43325e0c17a79f29266be0386377c2dcdcddd5f0b08fa6d9c5415705d7623adfbaec606d6c485

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dw1ecab.0se.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Documents\Seven.dll

Filesize
1.3MB

MD5
b5354db7c3200ccec55fd08c45871d59

SHA1
ecc498dcc425d9d803dcd0eec5efba18c654fc58

SHA256
90d1ad22e058d66acca5e10b5095d857fcb295143d4538930650765eaa25367d

SHA512
58a26c369977bc4fe735dfad9abf062a16fa0f2af3decf92f71339c374751ebfc8e4760ddd01266fc70bfe4bb56b936140e776a742a2b188d7a692029ba627c7

Download Submit
C:\Users\Public\Documents\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\Windows\System32\Winhost.exe

Filesize
139KB

MD5
350273e0d2e8a9ba5e37b791016112a0

SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.420

Filesize
380KB

MD5
1c2cba93a48ec3b8221a35e9091ed006

SHA1
695892ffa4394787e16c8f738027aeb28abe8ae8

SHA256
42f57440104bf972a76a4e1d27918c1af5d2472228f5b981f50090a7dac60f65

SHA512
34e4f6d3540f406e99bc0f0cbacb33ecbb6da48af33b338f28bc320e059e08cfbe65e00b03a1f08bac199698266eda29133092ad8768007e674f86ff8c234433

Download Submit
C:\vcredist2010_x64.log.html.420

Filesize
86KB

MD5
5dbcf4bc1ac2366c628ec928cb14df3b

SHA1
6ad3e21fac57a083b952dced51c5c3c68dbe19c1

SHA256
baf10ce59719909aa4db9dfec630754a9adc72534d7ea5e54460dd807260a0c6

SHA512
ae6f8db55eb7283816f4070b9ae6b4a5003415f7b83b84d2ba3fe0a86454da6e6507842dfe89c271d8eda2ae1ce729875d92e43a2c18464db5c33bc1d7852268

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.420

Filesize
394KB

MD5
db99ef6b8ef8c3bc6ae1bb034fbcad59

SHA1
933e0494acb79c3ec82e12e216aeebbe4692577a

SHA256
88e688f3a01f7d6a3fd7c7ee2fdf3ff27542bafc15c116fc6a65a11387f4a108

SHA512
45f07cce0e0f316d196881f5101d5e4a55c7b28d46671d72ce1d65f48090183ac37d18e203c49fa44db93ddb71fe2a98be1acbc89595589376b8f7ccb436d6a7

Download Submit
C:\vcredist2010_x86.log.html.420

Filesize
80KB

MD5
a03b442d491e3dd87da07c6683e9a230

SHA1
01ee46e7056112217da5f991a594ee3214aed241

SHA256
c081ffd4d714a8edd95db930d691accfacd32ab4f71c469c6b553e9596e822a9

SHA512
1534308632f766cc85126dbf65a1624ee94c44b69b93db683d7d00da63136f7ccc1b4e56edf5d984a57cdf5ff26b65498110ada26262d4cdb3b5c06da5b04f38

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.420

Filesize
167KB

MD5
c767e330509bdb4e5af0e1e87bd1264b

SHA1
edf6d35268f8c127fa1075d800d1a2d16c0a3af9

SHA256
d3fc51f7546c498f022408c398f3ab1071d81f3ea4db260b103f4380c2fb2fd3

SHA512
4da4650524096546a0caefa047517ca63589ab0978a9906c8fbb6d6155a63d9595bb4e99721153cea4ec74fc789d85c9caead0a391abd52ab96c31aa72f4c861

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.420

Filesize
195KB

MD5
f47726c41364ccbb6d8b72640827a820

SHA1
b0881514493fdae36c5c4450f030e32127eaf5d7

SHA256
d9778ae93e64729c361a6eeae38531721e3f2b14905e9a59096c442d66019172

SHA512
61d71ec7f44792b6b92f040c833cbaed33cfe656557fae353fd3df7199d73cf1f89ea7bfcc0e4b1a0f1dbaab2cda8d97853c7d5135420bf1383fb1fb647b4eae

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
839f880635aa3b8b87061fc3f35c5daf

SHA1
50765ebde21605a7655d30fc049d3aec96d03ff9

SHA256
379ba529926e750043a945ddea88eb0e9031d8f7774cca275b967262c03ecebd

SHA512
8dbe41a4b1d20ed23288d7519f667929652bf78f28039372c0dd2e2205f24a9ab03581da5fefabeadde6cadd68e816136c21af5ecf2d2d250739571e29a99527

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.420

Filesize
208KB

MD5
eee3dd663b9d63704c1e065155ddc168

SHA1
04acef86841ecc4a1e8156c4089b6e813da9182f

SHA256
431aeb9bc4d48df037da49dbbfd0349d6de7e3da23d6820854bc4f33bd877e78

SHA512
a82a5a7b5cfe9142c613d87dac8fe1cf5703a84cdd549ae449756dc87b38e950db0b0bef7e28367799f6e4d83eb28531dc29e66c251c764b8f164f5a32dacaa5

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
169KB

MD5
502d7593db31427fa64a74df08662218

SHA1
d2336dc3780eb756471990fcdeb3775917526493

SHA256
589a92c1f94adde5c00fbe5942421bf47e4410b7e95ee6867d91bc1b632eae87

SHA512
e75e976a5f7153604dd86adf45c6d86ecd468eefff09cd0bd03c4b1b331c107d77b560888fa0f16f3f5ef75bc07b65b4f71699450aba765a266ef3bcf92d5b37

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
190KB

MD5
bce1dee7d15cd44280b5b04262059a27

SHA1
c8b7332fe53729b05ef245aaea3c32ea7a7b1046

SHA256
2b90e6f783b72b863f3aa6f3b91f599054af504716f0cf069dd2a36c48ecf76f

SHA512
47e7b93f6b28fee756fe222ac6254684b82fa08b8bc330ffc3a95a64da33088263d6951e7f685216b7c6ef345d687c172fc04568e6eb393319b7e0d7ece9219d

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
642d26499cb04f6ec8f79a61c920facb

SHA1
5ab1b556660448bff4b3e191c46431d6af07a040

SHA256
d60bffbb97eb48d124192321020d62141903c0bb94c57111b3571c674a4105b1

SHA512
be3fb8262f1a35bddbad0ecf7f23af1de451127c2b2a68b1a345a97218d837b30d47abb84f0e9dc06233e5d5b0c6ad1bc94f8e569ab0632978947e16cba43bf7

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
198KB

MD5
1b5ed7d91a8eae04252006a4be8bda93

SHA1
82fc2e6549678c06b3ee3314acca7fbd72cbf925

SHA256
c4edae3b25f5f809442020403550224c172ef989d6599a4e012406e49f547929

SHA512
f3f472b1fad07a682e45e045100ec00c08dbab50f6f47242caa59be84d05cbb4ed6a064748245fa52cce05fbe414d4ccec8a8314c44203e9417163696f3e5941

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
123KB

MD5
047a3d49dda91ff5fb23faf01dfac216

SHA1
642bcba726debe25966cb06341617530dd8d172f

SHA256
6f2c37fa7b0c3a75ccc66ba9e9d43517ad71100976bf6adf1148b64432af3fd8

SHA512
3e999f3e592eb1d0c58e42e2aa2460a72f037672458f23fb416cc33b7624a67bea845474bc31d28d319f3fe50825edf3c40b13c0de3f6f3f1b1dd5c6b2ce7473

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
129KB

MD5
5b3de0afe8a10697d8ae3166a22e0f97

SHA1
7859d99ccc128c430fdbc76e762cec6f1551a932

SHA256
0bf427a12d06bae2552ae726583bb8947d4f6a7576c2b9b4461d490b942dde6c

SHA512
d0644bb0cc7ec2283e5149424f5e0ea4188020315fa419fbc32a723506ee6a55af34b392d062b8cc5bdcd5c4a7de80e83e872208e2d9806cba6e376f8de05408

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
123KB

MD5
a41dff3e10ca417801100a4cc372276a

SHA1
91377bb83df12bc5f4b6ce3e285a0e2b813431e8

SHA256
a7183b0371931a89d0013a16e018056f6f0567342921a8c6e6e9cfd81ca5dd94

SHA512
2500ee6bdeda31a08c538c5ee5a0258cc54f8ac4ae5083d0ead7e89fac2cff138a00654a7b3d7f5b280be9085e3e51ffc596472494bd640709c72c873a18bab5

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
135KB

MD5
8d04518f12bf8f4730b93046c4a29d6f

SHA1
c86e6e462ea2d528331f672d7b347de0d0f04ab5

SHA256
30bab0bef9b04f644c6d804eafeab62c1e741cc36c61b81d4e6c8609a1ffdadc

SHA512
f78db543d7863789fabb0c86137b99222a94c42c8b1e8d804edd6e1cf5be9e90e3c9a74e01f98c618aff74364fda749404718efad6816d2b7afa72af693406eb

Download Submit
memory/5036-10-0x000001CC1C8A0000-0x000001CC1C8B0000-memory.dmp

Filesize
64KB

Download
memory/5036-15-0x00007FFF0F430000-0x00007FFF0FEF2000-memory.dmp

Filesize
10.8MB

Download
memory/5036-11-0x000001CC1C8A0000-0x000001CC1C8B0000-memory.dmp

Filesize
64KB

Download
memory/5036-12-0x000001CC1C8A0000-0x000001CC1C8B0000-memory.dmp

Filesize
64KB

Download
memory/5036-9-0x00007FFF0F430000-0x00007FFF0FEF2000-memory.dmp

Filesize
10.8MB

Download
memory/5036-8-0x000001CC1C9B0000-0x000001CC1C9D2000-memory.dmp

Filesize
136KB

Download