f1662149f835cfa5fe3e22df52987ea04474a122577af31adf04223cededf43d

Analysis

max time kernel
97s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Renames multiple (293) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Checks computer location settings 2 TTPs 40 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Seven.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Winhost.exe

Deletes itself 1 IoCs

pid	Process
3968	Winhost.exe

Executes dropped EXE 39 IoCs

pid	Process
3968	Winhost.exe
4604	Winhost.exe
1580	Winhost.exe
4424	Winhost.exe
4892	Winhost.exe
3548	Winhost.exe
4208	Winhost.exe
1784	Winhost.exe
2004	Winhost.exe
2556	Winhost.exe
2036	Winhost.exe
1120	Winhost.exe
2976	Winhost.exe
3816	Winhost.exe
3604	Winhost.exe
1784	Winhost.exe
876	Winhost.exe
5056	Winhost.exe
680	Winhost.exe
3616	Winhost.exe
2976	Winhost.exe
1076	Winhost.exe
3488	Winhost.exe
2500	Winhost.exe
2252	Winhost.exe
876	Winhost.exe
60	Winhost.exe
4508	Winhost.exe
4556	Winhost.exe
1552	Winhost.exe
4588	Winhost.exe
1580	Winhost.exe
2720	Winhost.exe
820	Winhost.exe
876	Winhost.exe
4892	Winhost.exe
4508	Winhost.exe
4268	Winhost.exe
4312	Winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe

Drops desktop.ini file(s) 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Winhost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Winhost.exe
File opened for modification	C:\Program Files\desktop.ini	Winhost.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	Winhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
48	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Seven.dll	attrib.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\System32\Winhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File opened for modification	C:\Windows\System32\Winhost.exe	attrib.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe

Sets desktop wallpaper using registry 2 TTPs 5 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp0scozy.tmp"	Seven.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpzib1kd.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpos5lug.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp5wqtya.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp4q4gfr.tmp"	Winhost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lv_get.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h2x.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-disabled.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_link_18.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\selector.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg	Winhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\plugin.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\es-419_get.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ru_get.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\caution.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\empty.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateDCFiles_280x192.svg	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\selector.js	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\ui-strings.js	Winhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	Winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-default_32.svg	Winhost.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe
File opened for modification	C:\Windows\bfsvc.exe	Winhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	powershell.exe
5012	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 5012	3016	Seven.exe	93
PID 3016 wrote to memory of 5012	3016	Seven.exe	93
PID 3016 wrote to memory of 5036	3016	Seven.exe	95
PID 3016 wrote to memory of 5036	3016	Seven.exe	95
PID 3016 wrote to memory of 3980	3016	Seven.exe	96
PID 3016 wrote to memory of 3980	3016	Seven.exe	96
PID 3016 wrote to memory of 3112	3016	Seven.exe	97
PID 3016 wrote to memory of 3112	3016	Seven.exe	97
PID 3016 wrote to memory of 1932	3016	Seven.exe	98
PID 3016 wrote to memory of 1932	3016	Seven.exe	98
PID 3016 wrote to memory of 5044	3016	Seven.exe	99
PID 3016 wrote to memory of 5044	3016	Seven.exe	99
PID 3016 wrote to memory of 1588	3016	Seven.exe	100
PID 3016 wrote to memory of 1588	3016	Seven.exe	100
PID 3016 wrote to memory of 548	3016	Seven.exe	101
PID 3016 wrote to memory of 548	3016	Seven.exe	101
PID 3016 wrote to memory of 4428	3016	Seven.exe	102
PID 3016 wrote to memory of 4428	3016	Seven.exe	102
PID 3016 wrote to memory of 5068	3016	Seven.exe	103
PID 3016 wrote to memory of 5068	3016	Seven.exe	103
PID 3016 wrote to memory of 3572	3016	Seven.exe	104
PID 3016 wrote to memory of 3572	3016	Seven.exe	104
PID 3016 wrote to memory of 2120	3016	Seven.exe	105
PID 3016 wrote to memory of 2120	3016	Seven.exe	105
PID 3016 wrote to memory of 3380	3016	Seven.exe	106
PID 3016 wrote to memory of 3380	3016	Seven.exe	106
PID 3016 wrote to memory of 4624	3016	Seven.exe	107
PID 3016 wrote to memory of 4624	3016	Seven.exe	107
PID 3016 wrote to memory of 928	3016	Seven.exe	108
PID 3016 wrote to memory of 928	3016	Seven.exe	108
PID 4624 wrote to memory of 2808	4624	cmd.exe	109
PID 4624 wrote to memory of 2808	4624	cmd.exe	109
PID 3572 wrote to memory of 1428	3572	cmd.exe	110
PID 3572 wrote to memory of 1428	3572	cmd.exe	110
PID 1932 wrote to memory of 1812	1932	cmd.exe	111
PID 1932 wrote to memory of 1812	1932	cmd.exe	111
PID 5044 wrote to memory of 3624	5044	cmd.exe	112
PID 5044 wrote to memory of 3624	5044	cmd.exe	112
PID 2120 wrote to memory of 1964	2120	cmd.exe	113
PID 2120 wrote to memory of 1964	2120	cmd.exe	113
PID 928 wrote to memory of 3968	928	cmd.exe	114
PID 928 wrote to memory of 3968	928	cmd.exe	114
PID 3380 wrote to memory of 1140	3380	cmd.exe	115
PID 3380 wrote to memory of 1140	3380	cmd.exe	115
PID 3968 wrote to memory of 4604	3968	Winhost.exe	127
PID 3968 wrote to memory of 4604	3968	Winhost.exe	127
PID 4604 wrote to memory of 1580	4604	Winhost.exe	129
PID 4604 wrote to memory of 1580	4604	Winhost.exe	129
PID 1580 wrote to memory of 4424	1580	Winhost.exe	132
PID 1580 wrote to memory of 4424	1580	Winhost.exe	132
PID 4424 wrote to memory of 4892	4424	Winhost.exe	134
PID 4424 wrote to memory of 4892	4424	Winhost.exe	134
PID 4892 wrote to memory of 3548	4892	Winhost.exe	136
PID 4892 wrote to memory of 3548	4892	Winhost.exe	136
PID 3548 wrote to memory of 4208	3548	Winhost.exe	138
PID 3548 wrote to memory of 4208	3548	Winhost.exe	138
PID 4208 wrote to memory of 1784	4208	Winhost.exe	140
PID 4208 wrote to memory of 1784	4208	Winhost.exe	140
PID 1784 wrote to memory of 2004	1784	Winhost.exe	142
PID 1784 wrote to memory of 2004	1784	Winhost.exe	142
PID 2004 wrote to memory of 2556	2004	Winhost.exe	145
PID 2004 wrote to memory of 2556	2004	Winhost.exe	145
PID 2556 wrote to memory of 2036	2556	Winhost.exe	147
PID 2556 wrote to memory of 2036	2556	Winhost.exe	147

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2808	attrib.exe
1428	attrib.exe
1812	attrib.exe
3624	attrib.exe
1964	attrib.exe
1140	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:5036
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:3980
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe
  2⤵
  PID:3112
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1812
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:3624
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  - Drops file in System32 directory
  PID:1588
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll
  2⤵
  PID:548
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:4428
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  PID:5068
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1428
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1964
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:1140
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:2808
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        40⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        41⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        42⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        43⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        44⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        45⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        46⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        47⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        48⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        49⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        50⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        51⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        52⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        53⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        54⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        55⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        56⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        57⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        58⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        59⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        60⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        61⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        62⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        63⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        64⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        65⤵
        
        PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:208

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3488
- C:\Windows\System32\Winhost.exe
  "C:\Windows\System32\Winhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:876
- - C:\Windows\System32\Winhost.exe
    "C:\Windows\System32\Winhost.exe"
    3⤵
    PID:3656
  - - C:\Windows\System32\Winhost.exe
      "C:\Windows\System32\Winhost.exe"
      4⤵
      PID:4056
    - - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        5⤵
        
        PID:4836
      - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        6⤵
        
        PID:4452
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        7⤵
        
        PID:4604
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        8⤵
        
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{ce768a4c-504b-440a-b79c-5ab95e593c51}\0.1.filtertrie.intermediate.txt.420

Filesize
16B

MD5
e8aaa566651759e399714d464cdfb390

SHA1
373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

SHA256
1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

SHA512
23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{ce768a4c-504b-440a-b79c-5ab95e593c51}\0.2.filtertrie.intermediate.txt.420

Filesize
16B

MD5
209371fb985ae536f7a01b2cbf06fdeb

SHA1
6e5d735e5a6aef442f3342931eaf47d505763578

SHA256
4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

SHA512
53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534305993432169.txt.420

Filesize
77KB

MD5
db44cb2671c7026f63884176766183d1

SHA1
7851453d3ea5e376b55fd7dbe14cf2cb947e9167

SHA256
d2330fe9ab0056f4e3e1d8c6cf9f496e583852eb79de3baae825f077c8d60d5f

SHA512
e5ea725104677c0898e70d44e742196c9a8f24418712a3d5ee9f8946798c94e141eb57050deefbacfb4813ef5f3b16256414637290149fa93fa65f6625d253fc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534306555234051.txt.420

Filesize
64KB

MD5
11ac6741b0cd7bcd3b9db6d37810ac50

SHA1
6d18291d18a9ea517b76b75a6d422314d21826d6

SHA256
2ee2af334d7553d06d93619d903d2041c6a9853fb59d10a9b03c54825794feab

SHA512
e47db917c98276a01fc9cef626cd457e74297ffeb48160cc5072fe760b6f724607c655cea15541d8b3db67126322cb6fbc7c548955bc33f30cc2f087f5414ed3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534320433840509.txt.420

Filesize
63KB

MD5
cb2b816748fd39bd5bfc656a1be9d6a0

SHA1
62565896f63691f980fec52952e3335ee8b865d1

SHA256
09481df47b3c1bf52da64c8e07b30bc0a6aaa75823d734315a31ba88a67a7c57

SHA512
55e9ea5f30ba88e6adfc5845b86375999d7e9ed906bde0cf3f35b63b537965a13996d2e5578991fd76149bd32cb1393e46bf732e8943b77328d1482898468298

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534360870189233.txt.420

Filesize
74KB

MD5
d5ae8b1582ada3900b18296f0d470072

SHA1
dc44fb34b4a7c5eecb48a826fb0d6cfc3f53c5a4

SHA256
08fcb2d98af7f93f10d275bfb4337de08820f0cdee8debabc176b64546fae992

SHA512
d1998e174d58122a79eb4ac1edbb9e74b04adf2f979cc6ee5e85e6a87dfbd20908557932eb352c4487392d89c84e23edf1db8e9df44d66bd032a6106ceabc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
163B

MD5
36972a12b9956e7072f4c51c8eb872a1

SHA1
d38f599dd07228c29cf87518d674218a29f6290b

SHA256
b2e6b6e8dfd3fcae71dde5e1baf8768b8343cac90e4c74ec800494d669de851b

SHA512
b55891d7ccbfe363fee1e555f67b70ed9171d6cbb3246108c53d565e29b0a4a3f07a12af14f3e272d760863d5e637face73ae098780a5083e7ee16cb3c1b2027

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
8343c9a0130b60aff06d3a683b135541

SHA1
9fd4feb22a3ff26b3d9653152529c1afc253e965

SHA256
4b82f29eb7d844b139a60523be4cfe12932cceb994df42e096ed68afd895999c

SHA512
175d882475ff4a193f0b5a357c20f271fd91c077a378b7c0fd1bb84f008eab42a69706747078b5fb4f425d3ee6e1588e8b405587058580f64cde14c9e093a980

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
3933280b04a39f438b80984fbfbe1d61

SHA1
709aceba995e78574fde3443ba31307d70397aa2

SHA256
53fe299e84ac11dc24879acb09f48a451ca4fc47193840d07d32ca8d162eeb65

SHA512
debabe4b83d96e089292022673341da106615e58368036669e9f91858fa00c966fba903d3ba7937fd8c0bcb7f088b991f8b6771b9bbb01366341fae562d84a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
46933d7204d5b3677d06f883376402da

SHA1
e7d3761f8ad1fc04dbfb799c1646d0f0eb2c0775

SHA256
0e520fc7b2e0b3faa2380a681147da36a889d18e22a962418d49db27fd40c18a

SHA512
e98cbe590449e0f48a13f9ec63e471ac6129a49659046169b8ba2fad84529a6d53a970ae83a8732d96f14f1f4bcca1d69aea7b157f809bbc3d5bffac831f6e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
e16cbfbb89a47ef200f18aa3d9d653a4

SHA1
fc1eaa89b5257365724cf7b7493582cc489e160a

SHA256
04b566b4ae6faf699662d4fc73ba5754101368059addba8fe9a828ce2a0e94b6

SHA512
fca2093e2515e20e211a53e5c420c81803e0726642061fceec053e585bb72a76e2f787d092fb935d6e35d2b854dd09dba4a6be13a7682c643c47d92ea57578b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
1ec1f56b0090e1551d446386605cd557

SHA1
7c8b43b694568bf7ea2575a96b5f1df8bd0206b8

SHA256
a8e2fa4c149cceb5811ea0afeb3db186a31b4eb06837b4733b95393702bfa7b8

SHA512
3de77b21cc927f33e84df2934c84e705576293885bb062d1f6d5003bdb76e0eb93ab7051e79a33f7a4295de98a848d22b3ae0ea403681c4fe2bdde42c97f2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
d7a6385b3fea6d3005dbf5703da2a56a

SHA1
8b9e1491438bcf0cf7402dbc60c64966335fbefa

SHA256
66d913a0a89e48e121e492a764a1af67b05f0a8b21b6028c23ee9da0825e326a

SHA512
98047a50bdd02631a2bdcf41fa4271182b5cb4307f37e8f9b06c3ffb26359b84ac35f8f3ae75e2a2b92b11a6d3154fccb1275468e9d56a0cf728412d63f7ae94

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
3e7d72dfc74de63f03cad2d6c2e783ca

SHA1
650fc346c4368a60b4d2aba6012bd120790ef1a5

SHA256
77d9a8f576dd43aa53915f6bc54c6d14a127ca19ed3cc7a4ae0bca0df673b5db

SHA512
26b64fab4df2845b8bda860489e48167eac2314643a3147851a6f983158b89946ece5e86295b21e44e02ce31922bd67a3ece871611e3274c97cc35d2b7265f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
4bc033d4a88913e1bacbcbd35aed8173

SHA1
a3fac337c38bbbe7bdb78934f548bf61d2757447

SHA256
dd56e22aecbdfb1e80c0f6fc2baa5eb73aa717d43d7e9eb7dd43fb19c83ef548

SHA512
6ea10633ec7e148268d2eb0afc11c98cb0cd3d9ce112912e05a09c63e450800d29cbe4184d4ba8c2060f7fa4878ad7a15e5e81d83c1d9ce0e4b2e3672a58d82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
3bcca4b0e5d735ce2af3e122fcc5c50a

SHA1
16ff8d442552ccd710e377742f7ce832b00a4aae

SHA256
0cfcee1064952d6521a2a518be76f61c8e9af59e462bbabd4404e94fc1bcac18

SHA512
a58a5d19c443dfd2f9e04faacc4fc30fe2bd1ed9021132bdd53cec64a0f6f6541c5ec767db6e30953fd7063b51c90347b2d0a4f39531595ee0c950eee5614118

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
7dc180cd924a515f8f9992ed5eac765c

SHA1
63805118cc29adeedcc57832c95358089a76cc15

SHA256
af7c4e565f6a170b20bdfe61fa2c989d2b0afa804cce9067b8216cd8b8c12697

SHA512
cf34107e30daa226f3768abfd790274739a5d6c73a5b95e1fc9d3c7304ca71cd52c08f1173d7ba5bc84a3dbeece095f5fe4eb1304dc9f0ab78c1e0c2aea7be91

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
085791e7c2790931f9eb6a807b0273b2

SHA1
de55473fe7409f7de8ae48204494b89d4625bd7d

SHA256
faa4b29accdce3aeef6e9248ba641b54ed3e75cd3e21cb27d336309808ee889d

SHA512
df532053aa0ad9c881681f35650086e59affbeee37fcd4b3e586f39b5a6dfeae758831b1e536e44bebd72d3791f70f2cb0b228dd730cf56f4dbb4e1da0a22f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
6d92199f4849d818b067884aa71041c9

SHA1
cb9c7137a35ce329949d62bad594a3c52ee0383c

SHA256
f6bac9b1abf1857be1301cda4a25ec6cec7e3a0e125e1eede129e1fbd89f3a8f

SHA512
470c3d5ca92ef1193c7f08957542a010c9d697c2bcb1bb74c08e530acc82752550e9996f7fffcf6f1417a610651727282e36621a023259de2741bd6c3b419002

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
ebf8659d79b37282e2a05fe50e9a1891

SHA1
d838bc0f9d1a1cabc5709b3326b66ea628ab18b4

SHA256
a1a4e01370f112988961f1f74303a94da54f71e6e062f274698989d1b02b3e61

SHA512
ab79722a02f1362cba5a51bbf39c019daab8af54c759a1c20d10e2122e216f949a45d36344c9133e731484dcd37a64d4e2a46c3cf7f4eb9bd8d8164178c33d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
dbda3899449081ce4d8adf99bbbf9528

SHA1
7efa7159f3f91ed8a75908a55f1a1447714127cd

SHA256
8c4a30a693f3443920655ee64088d5e91cb09106f81ba88d6aa6d05bc91b1f2d

SHA512
0d85e0846814f73abed3994af17d9b9dabd9d65e6b900843a4c9de1665362ef041882ac797e9c7ce1ab580b1611bab1e866a57bb843298837e2657605fdca4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
6199bef28bcc7646b343d6963b683560

SHA1
9753bcb67627d3ec504cc0249e2acf32439d7fab

SHA256
205efbe982b721ffffaac0ef9785efbbabb8d05b317b7cf23db27f88ce58072a

SHA512
09f166d7a9686504af398e7074fbcfade095f35ec4893ea1c836041e095fe44e422b198c6c3a0f404bf8d3e898f40c596702aa74e5ef9099b12cb617b7f75d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
f1b8e9d239ba282cc4ecd159ba37db58

SHA1
c633e2755f338d4b6a1c29ee6efa455cc6b41e69

SHA256
6cb839788c2efc69908dacc98ed9442fcca5216b690907a99524543882cf18b6

SHA512
31afd47a8d7777a5cc4acdfc1ac43c3c5bbcbf71a45a13fcb3a77a534e2c55ccf4a63b27e65dde873a3cbe9fb8d9e871d214fd4244804fad3adf7e6117ed3ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
73d8d688f941a4780a2de5e64989aaa1

SHA1
52a6b0e25255c72c1832a81377868860632c7a56

SHA256
1faec9589c60aa8e68a47a2e1f592f492e86d2d6fec20b51d5805ac9bba44cae

SHA512
59e5ab4a4334775d97e7fdf6a0521693a6993fa4f3814bf436c08e2918cea70f8a4d3d883792dcb0c119f877c2e3d6f7ad02b550e66fa57dfcb8ecb9f1177c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
ccdb944768f01b459cede364c07a9abf

SHA1
ca469c2fe9a137def84ff562b61a5aaed013a743

SHA256
4851f3b431a3ab69c2000e2e291a60efa0cf072f69d0f62cbdfd8399319f061d

SHA512
33e157cdae50d456b2694cce8df4deb5b978340a09eed3eb2f3192dde910faf10fd3f2059e94fc9194b6e5850bf770e4d2e54fe5181abc9292694698a2ece071

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
9b94d876a150a5e2e6d9d87a1484c21f

SHA1
ff5e82b3f81592d31c21f5409e1d95ea9036948d

SHA256
f06283d3c9aa849d4b05e525477de738f56db7a1499f473ccb383c73b9df0f12

SHA512
789e8781ec5a60c5ee00fb1b2300928b20186792611d5646f92ea5f25f0bce02d90baf8e949927983bf8d9a65a88c65e7595ec7a7686b16ff8f82994cf36992a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
6435aaf56f2da0eec46a9d5f32a32d08

SHA1
549f29cee9107fb67164d2332a4b1406a2070cae

SHA256
0a8d0374dd11db30323aee14685f0dbf9c550143de1d805e2d6e83ab5aa0a130

SHA512
b034fc4b76264d9a4eb0c8f45e5efdd4ec181adc92c9f724a2c764d91bdd6d588af94d18219cb0d5e9b963c960961ecfde4f98fb8615ed0298f9044689ac870f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
970bc9f021e66351aa0008f2678d8f54

SHA1
cc952cd90a9fc34fc447e846c37871166abe7439

SHA256
76e0a28d714c4b187c5270ce7a7413074e17d64021f7c8ddd0a236d8b3135234

SHA512
5b7518801fc514283ead3ead8404addeae495ea4338dc6b4483dfb15eadbb40e38c14f7641ff3e450861f9c7874e55b47a01f2fc2c01c9601cd50b20c39700da

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
6c26bc496e50701b67fb0ee669e02789

SHA1
9949c56a86e2324110178768019045dee9fb73dd

SHA256
e6d5009f52f3eaf7ebf90fe55421f0ac286450104127290b06f5eb28ab4117b4

SHA512
33a743f69c8c7f3e4db340134a355a57a741ecb648f08d7234b1688f1f1aab360ef3255deef7ae9dca27bb54607cae6941ba3bc4ad470360919517859cc17eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
d0ef13e55de3c7e4f62b397e00efb012

SHA1
e8ac1f6deebcda947d9843447660c140ee1a9dc6

SHA256
97b65dbbeeeb06f517f77f3119dc336edb1f5a4bac3e9501d9886d23c1299bb6

SHA512
9d6856e35aa2edf19ca430657bf12920a13bba6b8291341849084da310768de6cd3ddc51b07a2e52643c4df86ff097d1ac09b97b5de1a7d44f86b5929cfe9fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
6444354fad40000d31f87c83b7f980d4

SHA1
3bc5f5781c514f8bcfe08756b7a520db0e37f2ba

SHA256
7722e8ee76a91ecb8290ad3e0f9203abbb45b99e68bd6045c5f4b6fb7bd39052

SHA512
88b95f128ea69820693aa1714336048c0a239c82285a1e21c1060f094bdb06f986a35966b3b9977721df0f834d7a4eedb9d2725b2d85b4e7252c1d4fd4cc5076

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
3ab257b64ebe2620dbdb569fcf4e3e41

SHA1
d15ee1fac79d7e2c555c8965a1951b9937fe386b

SHA256
70a7d6c3c100b6d42e7319659e53f177679fec73a3706674d75a6b88b4b70d69

SHA512
b5d9ce8d159d10f784fdc62f8672f8b1588a74a2e68dff7522be31185af2b12cb9ea19209e964770cf399284fa1f127d798630ad12d48cf45810e3f83949520d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
d89d658ef560a620212cb51e10792dd8

SHA1
1c1045a2a71893c77c24b68ca5e0cfd2848c17a3

SHA256
5265fd6786e2bcecafae512d2eb22f211e63e44849dcc35a96309a05dae50d35

SHA512
50efe859e0773fe8eb8d3b494c6b51444c12e1642eedd323ba0a7cae6d4d8f2060a685ab5065eac97244cc485016dc083650a2e2b491fad39d54e5bf2b45fc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
86bb3b0b70000ff061fe1e5a98bfe117

SHA1
778ca037089a4788faa126735ef4e4190b38dcd2

SHA256
4cac45e6c871f0c57896a7a1aafde0aace65941af5414c9e35b7ee7325d81634

SHA512
a009ce6fc31a47bbe3c4156e8c8edc057b99de2f22fc07193fa8c92eeb10f94115f28109ca181b63b8eb70145b2cbdd18b64b2d04c65946d95ff17d42a75ac1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
a45d7864dea1a99985b54fab4eae71f5

SHA1
6ac49fd0925e58df581c27249f2f4261a5a41469

SHA256
7f5b5e73610c51b6d2a53dbd38c2042ea212bacae8c133cadba068d80055e111

SHA512
238cfdae64110d6a2e3347094a4cc4997262ef01f2fe3639ab2d1ed434c71e5eb8bb134f39a92d8d425ff10b3e07cf5f2e79d9f858a19d9c6e587cb75e2be619

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
59d5e4fb9851a3c38baa964548366dfb

SHA1
5d38e906ec411ae6d9c105570857f50fcc085ede

SHA256
257bdc48be980dd78bf67cc836503be21155bad2a1f5913857dc5658f8e480e6

SHA512
2ab0850909af489051e844a81472b09dedfc9975ba158973febd7876b4067a259de8f1d60f9c3c25a3901b5c28df88809d60044c1bb10f357a1c2e07be84c293

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
16eb7d8e14df067b5a7d7a920d2ab5ed

SHA1
35a12881f4eb5e4f82f60837bb0f10ba636adbfa

SHA256
cab99ba4c4bd0cbef74e40cc22d6ff5f3fa6ef45143a313399f6dd16b9b43aa5

SHA512
b7cc016f045297fd64ad791fd061b4ab7c52c1966c9b7b95ea16173ddb652914482d93b0d5aa0101f39643dacdb18d400c0b76f4c536b1dd988de823b6d3ee60

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
3053f3969bd13e4572709ad4a9ee2b85

SHA1
ee541963fa986add9822d6d68e4b7306339c4dde

SHA256
5794107fec9efd9b6f0fbc4c08fe3403472fae97177bf823fd01f1548d43f49d

SHA512
a899f23f65f25ae57b83a4f80f82df2acba23dc0c5e7b185c7c5751cf252f52313469557ff7ddd52d9c423784e7c75537ea347660e51f482466d05774c4de464

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
2e7034c0711397bb182cef3207655745

SHA1
2d26c01ff03a0b87ffa1287984b6a3e1551e8aeb

SHA256
afcacd2f9dd7939e00965dd4f2089935c630c3771269c027416ae23b906b1dc3

SHA512
2b1d45afe408f1d3334345c985dd422af59ba6a7617dfa3bf8da136ca43d5efee344b225cbb96365840790f994b8d1a90166dbfc04598be6358a82cd49f91f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
8846cba45515389134e9a5d2446b588b

SHA1
3661b3688d979b1211473ca1c5fd363eeb899399

SHA256
5969a8fa59b9b2314b8e1a42ca84d87fd2db38b68a10b8c880029614f2c85daa

SHA512
10792b9cef6efe3a459f895b0267da417f055398196068e279f08f1e7b8232b981ded95e4af2124da2591f76dea457325f453faa0945c1743f85d7ef9d2dd9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
3b669d88d45d200440588d51997a4ce5

SHA1
c898d2c8bfbb8fa6384216005136e67bfc9fdee7

SHA256
7c7421d7586b5281a6bdb6be4fbdf5f94033441f46fa7f0135831b5d0f0c5321

SHA512
356ae9ac314122862a9da09e6bfdf95c9ef44f25fae54d90486a32b77513120690d15a217ee8c2e12aaed11f85f93ef9dd81ceb8171aa9ec23a320d715c70bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
8c4b4c905b546c12be29e8e0203cfe77

SHA1
6573ecb63ac7fdba823c06a06601bf88d79efbac

SHA256
a4ade87f9adc4b10acead28a3afffbb232812d4d7e1cb8ba9f9126080ab54e41

SHA512
73f69db7ee11354198eed3363fdaa92051dc0d33b03618f5844eba51e60cab16d42e85e963e9ef239e7e4291c1e43de9a1a11fe3015154e7f3fc1bfc6dc09add

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
2d6ad82728c457845d85bbd78d536c9d

SHA1
fe46463f1f2acf29eac3898ec9e0d7a7f382e6c5

SHA256
4784c5cc453a08c22102ab6d21d7eae846b70f571297bb56780828eff2c4453f

SHA512
fbd1e291eebf8624b497696a3c11830ee08e434f803b0164d6a32223dfcdbf2dd4f9649c67f6f6ae7f29f24bfeae2f24a9e527732d055b14ec2482aa55fc5719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_boll1xxu.dmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4q4gfr.tmp

Filesize
187KB

MD5
893b1b77cb2fab0d42b0ce43d30a1d67

SHA1
3b18999fbd622e364f9f1de33ae5a120ad1df3fb

SHA256
a8b9c649d5d7217bd3249433a9d67162bcc9c1cf4b7a71dffa2fe773c4307d07

SHA512
073a99535e8aa3cec853ada0f8f14ffb4fe9d7d9175b77f3db569471953c8afbec58a57d3ee613959e188d337fedb4cc7ec2310977da8210eea1dab1658ea6c9

Download Submit
C:\Users\Public\Documents\Winhost.exe

Filesize
139KB

MD5
350273e0d2e8a9ba5e37b791016112a0

SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

Download Submit
C:\Windows\System32\Seven.dll

Filesize
1.3MB

MD5
c911e21fe70e167d8f9bee1703415553

SHA1
c892220ff96d2d5816a3c3e6a0247620450fa7ed

SHA256
03a644a944153208259729776d6a0b32cd9016d8a8087757430c6c8f32865af5

SHA512
784790551beccdf1db88ddcb7e7bd59a6d796742f753e69e4125698a09f60f0af64918a3746f714aa9f506ab276a50bdbe492e458481f2c9d7925dfea57dfbd7

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
memory/5012-1-0x00000162FDEA0000-0x00000162FDEC2000-memory.dmp

Filesize
136KB

Download
memory/5012-11-0x00007FFCE5D50000-0x00007FFCE6811000-memory.dmp

Filesize
10.8MB

Download
memory/5012-12-0x00000162FDEE0000-0x00000162FDEF0000-memory.dmp

Filesize
64KB

Download
memory/5012-13-0x00000162FDEE0000-0x00000162FDEF0000-memory.dmp

Filesize
64KB

Download
memory/5012-14-0x00000162FDEE0000-0x00000162FDEF0000-memory.dmp

Filesize
64KB

Download
memory/5012-17-0x00007FFCE5D50000-0x00007FFCE6811000-memory.dmp

Filesize
10.8MB

Download