Analysis Overview
SHA256
cde859e5bd97108d73250f81322ba53b5ac27464a369ea5e2f99affbb8b4cd8a
Threat Level: Known bad
The file Telegold Patch.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
DcRat
Modifies WinLogon for persistence
DCRat payload
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
Detects Pyinstaller
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 09:52
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 09:52
Reported
2024-06-19 09:55
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2056 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe |
| PID 2056 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe |
| PID 2056 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"
C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20562\python39.dll
| MD5 | 5cd203d356a77646856341a0c9135fc6 |
| SHA1 | a1f4ac5cc2f5ecb075b3d0129e620784814a48f7 |
| SHA256 | a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a |
| SHA512 | 390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 09:52
Reported
2024-06-19 09:57
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
202s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\", \"C:\\hypercommon\\spoolsv.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\", \"C:\\hypercommon\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\", \"C:\\hypercommon\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Providerhost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\", \"C:\\hypercommon\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Providerhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\maeim.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\hypercommon\Providerhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\maeim.exe | N/A |
| N/A | N/A | C:\hypercommon\Providerhost.exe | N/A |
| N/A | N/A | C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\hypercommon\\spoolsv.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\PrintHood\\wininit.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\PrintHood\\wininit.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\hypercommon\\wininit.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\hypercommon\\csrss.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\hypercommon\\lsass.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\hypercommon\\wininit.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Providerhost = "\"C:\\Recovery\\WindowsRE\\Providerhost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\hypercommon\\spoolsv.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Providerhost = "\"C:\\Recovery\\WindowsRE\\Providerhost.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\hypercommon\\csrss.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\hypercommon\\lsass.exe\"" | C:\hypercommon\Providerhost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe | C:\hypercommon\Providerhost.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ea9f0e6c9e2dcd | C:\hypercommon\Providerhost.exe | N/A |
| File created | C:\Program Files\Internet Explorer\en-US\5b884080fd4f94 | C:\hypercommon\Providerhost.exe | N/A |
| File created | C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe | C:\hypercommon\Providerhost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe | C:\hypercommon\Providerhost.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\cmd.exe | C:\hypercommon\Providerhost.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d | C:\hypercommon\Providerhost.exe | N/A |
| File created | C:\Program Files\Internet Explorer\en-US\fontdrvhost.exe | C:\hypercommon\Providerhost.exe | N/A |
| File created | C:\Program Files\Windows Defender\es-ES\9e8d7a4ca61bd9 | C:\hypercommon\Providerhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe | C:\hypercommon\Providerhost.exe | N/A |
| File created | C:\Windows\appcompat\appraiser\Telemetry\e1ef82546f0b02 | C:\hypercommon\Providerhost.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\hypercommon\Providerhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\maeim.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\hypercommon\Providerhost.exe | N/A |
| N/A | N/A | C:\hypercommon\Providerhost.exe | N/A |
| N/A | N/A | C:\hypercommon\Providerhost.exe | N/A |
| N/A | N/A | C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\hypercommon\Providerhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"
C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\\maeim.exe
C:\maeim.exe
C:\\maeim.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hypercommon\UMAnfH3ti4CBNtJLBUGw.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hypercommon\NNV9hmidRTdTt57.bat" "
C:\hypercommon\Providerhost.exe
"C:\hypercommon\Providerhost.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\hypercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\hypercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\hypercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\hypercommon\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\hypercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\hypercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\hypercommon\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\hypercommon\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\hypercommon\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\hypercommon\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\hypercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\hypercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderhostP" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Providerhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Providerhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Providerhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderhostP" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Providerhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7yoMSbkWHX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe
"C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BE | 88.221.83.227:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 227.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cb89285.tmweb.ru | udp |
| RU | 5.23.50.26:80 | cb89285.tmweb.ru | tcp |
| US | 8.8.8.8:53 | vh332.timeweb.ru | udp |
| RU | 5.23.50.26:443 | vh332.timeweb.ru | tcp |
| US | 8.8.8.8:53 | 26.50.23.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI46562\python39.dll
| MD5 | 5cd203d356a77646856341a0c9135fc6 |
| SHA1 | a1f4ac5cc2f5ecb075b3d0129e620784814a48f7 |
| SHA256 | a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a |
| SHA512 | 390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\VCRUNTIME140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\base_library.zip
| MD5 | 0c91d55b32b79db23559e4d0da3507da |
| SHA1 | 5ff421ee955dbfb00e07cedb1e37acc46e0c7e82 |
| SHA256 | ce2b8fa01c465909e1ac3a27c7e0aebfaa8656f3ebb266a998e02d2c444991cb |
| SHA512 | d0d11ffc65898f738ee891245177a03d7fb7b2501cec08d6d3edb8b2636c321422c8fab1f9263f608923713fe344b479e832d704ffccf9e9fb1686fb07dae940 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_bz2.pyd
| MD5 | e91b4f8e1592da26bacaceb542a220a8 |
| SHA1 | 5459d4c2147fa6db75211c3ec6166b869738bd38 |
| SHA256 | 20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f |
| SHA512 | cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\_lzma.pyd
| MD5 | 493c33ddf375b394b648c4283b326481 |
| SHA1 | 59c87ee582ba550f064429cb26ad79622c594f08 |
| SHA256 | 6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16 |
| SHA512 | a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI46562\resourses.zip
| MD5 | 45d73734651395bdbfd6c2736dff7367 |
| SHA1 | 50393907446db059d2f5aaf88bc63f635824f7bb |
| SHA256 | 99c3dd42cc18918061a74a39df8bcfba1bf030b906c1e24b00b96ffa06b9c223 |
| SHA512 | c33983bef954fd62171cd0ac1cd965a4628eb6f1bd1cfa74d25e904b0d1edbe8f6d83ec41d85c34105cac616560c57bd912b90c805e65d4de4647877d79a97e3 |
C:\maeim.exe
| MD5 | 16acf1b93833e037e2030bce0493092e |
| SHA1 | ebf65f1ee50ec0b4e4427c18d3a8fe81c0737030 |
| SHA256 | 5c770c3f813366523f26e4531e685ab544716a86662c5af1d704340913ec1a6c |
| SHA512 | 50da0736524723d744e8b36d88929868c7a7b668dfeeca1fd6dacbb46c7ce4200e3e06d786fd989b33ddf7b7fd01e7f8220d14f129ba2c504b5e876c3012ceb1 |
C:\hypercommon\UMAnfH3ti4CBNtJLBUGw.vbe
| MD5 | ded95a68dfd80882a5cd56a7e4077eff |
| SHA1 | e9b766a23514f35abed066a91da6f0f7873aebd4 |
| SHA256 | 3061e2379470b9704e762eed8ab871c0a07d2a61fa986689bb44180710561599 |
| SHA512 | 3f8d2d916ce639449fb4f77dc0a37e9b5b7c5fc1abf88acc859aae3eb2c60c1a15f7fd8484a24b2d0e9feb1357282571d80a83e14997b6e0974fadafb3a6e2a0 |
C:\hypercommon\NNV9hmidRTdTt57.bat
| MD5 | da93b79620172e12ea588a05d8c2f41f |
| SHA1 | 264efd76c18f8180047854840389a1d2019e2476 |
| SHA256 | 39ae6fba8ec734f750fc9b7362eff48158c6e14e87f873b349dcb95d6a1efeeb |
| SHA512 | d1b5a84de2b9c3c01f592bbb832f27e8aac8c4a2aafee4c5b872de0776aeea76d1b8e30e583f3d25ed16a9315e73b3446128a98028e763d661a7603406b0349f |
C:\hypercommon\Providerhost.exe
| MD5 | 8ad56bbbbb918e4f2090ee62036ea1af |
| SHA1 | b143b1f99a66997d07a15fb438f815a846a87d05 |
| SHA256 | 71d7d6776f02c7f990a1d257276556179c883ced08e43f8278c447d81b807050 |
| SHA512 | 1d6004c0608b85d8e465e2a3791a0b1950ce3ca7d31ace9c34c4dceef1ef951d6fb1c2a4a02610d7c652fc3537e7fccd08572e65dc87e6b777c4333ccc40a1e3 |
memory/2340-48-0x00000000002E0000-0x000000000041E000-memory.dmp
memory/2340-49-0x0000000000C40000-0x0000000000C5C000-memory.dmp
memory/2340-50-0x000000001B5D0000-0x000000001B620000-memory.dmp
memory/2340-51-0x000000001AFF0000-0x000000001B006000-memory.dmp
memory/2340-52-0x000000001B010000-0x000000001B022000-memory.dmp
memory/2340-53-0x000000001BC70000-0x000000001C198000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7yoMSbkWHX.bat
| MD5 | 4e5684535aa2b80af5eea197ecd59380 |
| SHA1 | 7dfb1881316a016579d18af9190400af04a4cab9 |
| SHA256 | be09695e281333db9020a436cb9baee675e1f9287950fdbfdc8d8de4a5da7d47 |
| SHA512 | 1819ec2eea6f5a900a4f13fe890a2368288430bd16c124b23e469a23bd857175466b2707014130b61747c848044aface00cc99b4dd414890c2df5b7faf205d19 |
memory/1500-91-0x0000000003130000-0x0000000003142000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 09:52
Reported
2024-06-19 09:55
Platform
win7-20240221-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2964 wrote to memory of 2516 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2964 wrote to memory of 2516 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2964 wrote to memory of 2516 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2516 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2516 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2516 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2516 wrote to memory of 2448 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 0f26144265d34c5bda7f6bb7ce621f38 |
| SHA1 | 68eca362dd931b2ac9da8dcecfae90e9c63611a0 |
| SHA256 | 31552448a2530039fbfb6ddd36461c521bdb46e9a3621d0a3d37b3adaff0ac6b |
| SHA512 | 0d9bfc133edafd90bebe1fafc28113118d8ec537beedbdd714d1c14d973a7f31244865ec48fa9f7e6a979aa58f5a69cde6e022b2adde44f048a8cf38bbcbdeb1 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-19 09:52
Reported
2024-06-19 09:55
Platform
win10v2004-20240508-en
Max time kernel
102s
Max time network
102s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |