Analysis Overview
SHA256
dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6
Threat Level: Known bad
The file 509c110ee54d73c3398140a5eb78c45a.bin was found to be: Known bad.
Malicious Activity Summary
Modifies security service
RedLine
RedLine payload
Stops running service(s)
Creates new service(s)
Drops file in Drivers directory
Sets service image path in registry
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Power Settings
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Enumerates system info in registry
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Modifies registry class
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 01:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-05 01:42
Reported
2024-07-05 02:05
Platform
win7-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-05 01:42
Reported
2024-07-05 02:05
Platform
win10v2004-20240704-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-05 01:42
Reported
2024-07-05 02:05
Platform
win7-20240508-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-05 01:42
Reported
2024-07-05 02:05
Platform
win10v2004-20240704-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 01:42
Reported
2024-07-05 02:09
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UsoSvc\ImagePath = "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dosvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\509c110ee54d73c3398140a5eb78c45a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\38.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Setup.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4160 set thread context of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | C:\Windows\system32\dialer.exe |
| PID 2536 set thread context of 1188 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 2536 set thread context of 2860 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 2536 set thread context of 4704 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\ABC.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\509c110ee54d73c3398140a5eb78c45a.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\41.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\509c110ee54d73c3398140a5eb78c45a.exe
"C:\Users\Admin\AppData\Local\Temp\509c110ee54d73c3398140a5eb78c45a.exe"
C:\Users\Admin\AppData\Roaming\ABC.exe
"C:\Users\Admin\AppData\Roaming\ABC.exe"
C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Roaming\41.exe
"C:\Users\Admin\AppData\Roaming\41.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Roaming\ABC.exe
C:\Users\Admin\AppData\Roaming\ABC.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1032
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p64872182929326299261407120071 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_11.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_10.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 43d003422ae4dd14b2f932a4d05bda39 22OES7hTFEiquABR/5AUZQ.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
| Country | Destination | Domain | Proto |
| NL | 94.156.71.43:80 | tcp | |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| NL | 94.156.71.43:80 | tcp | |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| NL | 94.156.71.43:80 | tcp | |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| NL | 94.156.71.43:80 | tcp | |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| NL | 94.156.71.43:80 | tcp | |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
Files
C:\Users\Admin\AppData\Roaming\ABC.exe
| MD5 | 2808310786effc87a4359c778a73a7ee |
| SHA1 | 525f278678ad73a34c368f0afc4558ed0454f076 |
| SHA256 | 33d9753ee9b3920352b743d72adfd62c969ab0619eb5673151f478ebdfa197a5 |
| SHA512 | 02348e663f215ff6cf37cccea7ea4da3c53362aa75a1a0a88279b9a0acbf60deb30829b47ff7ce1ae97c43ca52b7e09ca90cbb621fee2da1a0ddcc65677c0d67 |
memory/3016-60-0x0000000072ECE000-0x0000000072ECF000-memory.dmp
memory/3016-61-0x0000000000280000-0x0000000000288000-memory.dmp
memory/3016-62-0x0000000004A90000-0x0000000004AF6000-memory.dmp
C:\Users\Admin\AppData\Roaming\38.exe
| MD5 | ca43f43bd60696a071914f7d56dfb170 |
| SHA1 | 0395c64a4cfc0c5b5e4f0213a2947e8971db0646 |
| SHA256 | c589837b7c914750d50c96183a6133940d0770d0a690c81b7594dafad925b8a9 |
| SHA512 | 5a476ade3e31ecdd01544111912bdf3cc43883c32703b72d698420c1ee7ec839c01cb7eadc7bfdc2f94ea7b4caac2e2a4e3f3ee088f1a1674a242d4db8d4a3be |
C:\Users\Admin\AppData\Roaming\41.exe
| MD5 | d3d07dbbf681e20fb2c58e5a8916a78e |
| SHA1 | 1964d2e5081b7a711fd6de9c48beada5adfe0daf |
| SHA256 | 4911bbaedcca532e468702601a467444f6bfcf65d940bed75fcaaca9d06c8150 |
| SHA512 | 42b2d6cdb522cd374f2b688ac47c62faae5416790a70930088dee5a2fa21561372bbef0bcd2c689b23f01f85347fd5b3c69d3d35193c4c9d57a6fb4251149951 |
memory/4484-184-0x00000000000D0000-0x00000000000DA000-memory.dmp
memory/4484-186-0x00000000048B0000-0x00000000048B8000-memory.dmp
memory/4484-185-0x0000000072EC0000-0x0000000073670000-memory.dmp
memory/4484-188-0x0000000006E80000-0x0000000006F12000-memory.dmp
memory/4484-187-0x0000000007390000-0x0000000007934000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 795ed47bc19ab0411368e5dc7aca6e07 |
| SHA1 | 850985565706675ee301d8566b2d53f67f262bf7 |
| SHA256 | 5f34e93c4e86b48cf1a799e6365430cd9fc3f995725d643e29ef5789272aa900 |
| SHA512 | 94509161822c07b48c876d2228e0e1b52aea7dc57b536c359de25f42a5ece221a6fc283d78ccfae2a85173099be48adc31f7ada74c620eb1e69ae07a09fc1341 |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | e885c9465536f062fc721721fa06e903 |
| SHA1 | 2106458467b24cff9b88d850c0a3c89898975c76 |
| SHA256 | 968c86c0f6456a124ebfdd7d2ea4e4ec398148522cdb38246d0f41bc6002e981 |
| SHA512 | e6ea1af4dbc774323308c6e45ae3a9870e7e3f79ab660f6c3acf77fa4615cd20919fe4c048c5c28d24a7f70e73f0da468b86570589aa605552ebf7f743823aaa |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip
| MD5 | 8075ea50b2ab44f7c966326454fd36f9 |
| SHA1 | 3779fd6f91b063c1848d5ad5f1565d19ad8dfecd |
| SHA256 | 5fa303944c7f3ebcae8096c0e19155ae275280af73b88e348d9555ae306c8afa |
| SHA512 | 787814480f4d431c5f9939af50bfd33db26818f04b1c5e925d7382d5e9f5acfc661be6ad07eeae80a66541a8edb48d99e5087bb2d3df0f64d3f797deb1f24a58 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip
| MD5 | e10377d5147815c70d80dc19156aaa53 |
| SHA1 | 4ea7ab5c249e008960bb0f676de22b3e56e4a0af |
| SHA256 | a011c602ed35528769f63a473c195a5f69d9bf7611d8497da57a8f0d32f29559 |
| SHA512 | 448cb4731d60a620680e75e45a0ac17a77f945c2947a939d762958635bb7649b02d1b6754508c020311d23f1646abb73ee428f6e1507d828cf6287442d5c7c27 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
| MD5 | 5df06ab0b8c35e23bfea346625eed65b |
| SHA1 | 83de80af6bf3e9cf84c9c8f0d27ad264779505e7 |
| SHA256 | e2a520a96e5f2f67c5a7ece9b3593ee7c584aa626cfbc7c592701e89b22c9995 |
| SHA512 | f396a039d4d145697b08d2834db16b57225c1caa1f1bd6489fc54847c53c29922846558c82085625a0e8e61d60c2a999e902da14921d3309262d9b005b7623ff |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
| MD5 | a2fcdf069cb33a227138c7c51c47d310 |
| SHA1 | 6fdd15e4ff504cf31244b69db19d997f7fe982f2 |
| SHA256 | 0f1d600027dcbc1f9a1257214f84b50b79ab3cd2c5cc32710bbaaa73534fcca7 |
| SHA512 | 70fd3fc47af77c3766970d7e1bbf0e323d2d75fdff568a325f7610a238774f46e91d1633b6c6805a410e3b5ac8d298e5ae3a15850e66ae64c8b1b6fa27a114f7 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | b38062631e88c006d9207a2cab53c38f |
| SHA1 | 33032c590ddb951da06d66bf72dd094435c4f9dd |
| SHA256 | c0c5aaa8727554a536d4b94d859cf68995accf8900809503c0dbe7676acc1a03 |
| SHA512 | 1f75f14348840089f312ddeb724149dab3b26fe5c001940a3f24961063882d1947621495ec63712927e1f9eab9cb3648af64538e98fb54f117f1a67af604eb92 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 1d2bfb868c2435a6d4b8ce54f176f53a |
| SHA1 | d167f754a0dbee66ded83ba45976f25cd15675a1 |
| SHA256 | 63638a0f50d91de6481e4935a0756a7e7580c77eefd951876856b0ca12014f4d |
| SHA512 | fc02bd564314c77f88c5ce500f29630b252928a281e9cb27358e8654f2f05ccb18cd2047a3956dffeeb548679e8d0d3531fa7ac8985d736adcee3dd28161ad63 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | f35f55dcc36764bd3f8c7ee78c8c6183 |
| SHA1 | c14a73b93477a432164feb7c88f3e0a7945ee79a |
| SHA256 | 7b5720d4674c6add26e32b71f5de0b756146b77cae776b228950bce8fca82d34 |
| SHA512 | 73530110dcb560bf961eb69a0296b459717189cd45f98dfa7394888c41c4a1f0529e5524634ade6e35a42e0a173a77c91dbf41538b399c7bec1644c2db2e1a9d |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 74ea54b446d40ac1b028f6fd1c328d82 |
| SHA1 | 237fd55ad9f283d63c2b5990fc75fae3c6798db2 |
| SHA256 | 83b5d02c807446a860dcca710bdf8c2b5dd85c1603f6fca58665a39ab22d94ff |
| SHA512 | 69281509d8f45ddd9a7751557e069f712f0793cf048c207e180033b3fb77dbf388d7a65fac347ee6cbdc11441d3f4fff693c1c9d0e3b98537cb2e7b23d6231a5 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 95b8bfebc75827e00d4166e13021e71b |
| SHA1 | e06f225bc0ff7fc18424fff88281b660a095bd23 |
| SHA256 | 075d77843575cfb5a0be0476059aa55ec88069aeab24802d9ba875c35ea34ac8 |
| SHA512 | 9e4a947efc2134d936b5dfd2ac52880f93ab078f9f02ba174c751a08a604b33c61453234118700cc2ca0d2c05c6171fe3c800d89291ac4ae25ea1fb994b713e9 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | c65fb7a8a19cdf11ea75d3806eab28b6 |
| SHA1 | cae2ed51df810884d6b6f2978b3e36bcffa7a103 |
| SHA256 | 6fe4f7993b5e22feae40b277d7b768f1609c77bfe24beaef8d1a4d96f35accdf |
| SHA512 | 9867531acf3399b497da3d14c50fe6e926620c213650487c6c2583f2848e6f5ae27d6bd09fca6889cea66ef1e8eca370cb26710aba1eab179955d92183b03c8e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | b4d0e4e5e65dae0261e6389dacfc1af1 |
| SHA1 | 98a96294a6fa43d2ed037b377b32d3ee876da81a |
| SHA256 | c1978fb5525c7e32d5eaba3feceedfe4e28ef8731c3c8d2f36bfdf1c76fb6265 |
| SHA512 | fdb5a26e1944a26808ecdb8856bc11f873377ecfa97b55d350685b4c094d6428697afdd4e460cee9641cef9d726ef4e2b50d5018e7c37866c0b7efff86882ce1 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe
| MD5 | 9903ce550118ee2389f78891423ea887 |
| SHA1 | f4c28f83efce975439f3711d34662587da4f4064 |
| SHA256 | 932928c1c0d4302eefe3b53f86158219b4aa3ca5285c9faf14d0f0c684bdcb26 |
| SHA512 | 88ea20d8b5197d43835ea54ff0645997f53b12d68556bbb936b2347951ea3fa8d6931c917bb6ff3d9023d2ae5be1fae1e1e16da7740fd100ee9f581c88d60acb |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | a9b2ea6a4101270c84eb55203ec2c9ce |
| SHA1 | 17e1f16fb2e6585c6113cebe376b76fffd7efebc |
| SHA256 | 9d768485e32ce6480248b5829bd0ea436547ea67312290a96306c8941e73d5b4 |
| SHA512 | 333d27dc38006b96e03bdf9dc92619b8fba75f63574f27924555e4e61e689dd2abfb5f19ab75c9c830cb21ff13b64594fe76e01d348895d177f2d7b9b8ea3fdb |
memory/4484-282-0x0000000072EC0000-0x0000000073670000-memory.dmp
memory/4484-283-0x0000000007120000-0x00000000071E2000-memory.dmp
memory/4484-284-0x00000000072F0000-0x00000000072FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC6AB.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4484-301-0x0000000009EC0000-0x0000000009F36000-memory.dmp
memory/4484-304-0x0000000005FA0000-0x0000000005FBE000-memory.dmp
memory/4484-307-0x000000000A180000-0x000000000A798000-memory.dmp
memory/4484-308-0x00000000064A0000-0x00000000065AA000-memory.dmp
memory/4484-309-0x00000000063E0000-0x00000000063F2000-memory.dmp
memory/4484-310-0x0000000006440000-0x000000000647C000-memory.dmp
memory/4484-311-0x00000000065B0000-0x00000000065FC000-memory.dmp
memory/1796-312-0x0000020DE2C80000-0x0000020DE2CA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2f2agnx.evv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1896-328-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1896-332-0x00007FF80C350000-0x00007FF80C40E000-memory.dmp
memory/1896-331-0x00007FF80DF50000-0x00007FF80E145000-memory.dmp
memory/1896-330-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1896-333-0x0000000140000000-0x000000014002B000-memory.dmp
memory/60-347-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/508-354-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1000-358-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1144-375-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1316-389-0x00000206C3CA0000-0x00000206C3CCB000-memory.dmp
memory/1216-379-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1216-378-0x000001FA88080000-0x000001FA880AB000-memory.dmp
memory/1144-374-0x000001C914C70000-0x000001C914C9B000-memory.dmp
memory/1132-372-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1132-371-0x000001E3D1940000-0x000001E3D196B000-memory.dmp
memory/1124-369-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1124-368-0x0000019C64310000-0x0000019C6433B000-memory.dmp
memory/1116-366-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1116-365-0x000001DE173C0000-0x000001DE173EB000-memory.dmp
memory/1000-357-0x0000020742F70000-0x0000020742F9B000-memory.dmp
memory/508-353-0x0000024337CC0000-0x0000024337CEB000-memory.dmp
memory/944-351-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/944-350-0x000002286A5C0000-0x000002286A5EB000-memory.dmp
memory/60-346-0x000001AEB0650000-0x000001AEB067B000-memory.dmp
memory/672-342-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/672-341-0x000001DDD8BA0000-0x000001DDD8BCB000-memory.dmp
memory/608-338-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/608-337-0x0000017F8F340000-0x0000017F8F36B000-memory.dmp
memory/608-336-0x0000017F8F310000-0x0000017F8F334000-memory.dmp
memory/1896-325-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1896-327-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1896-326-0x0000000140000000-0x000000014002B000-memory.dmp
memory/4048-643-0x0000023AEE460000-0x0000023AEE47C000-memory.dmp
memory/4048-644-0x0000023AEE480000-0x0000023AEE535000-memory.dmp
memory/4048-645-0x0000023AEE540000-0x0000023AEE54A000-memory.dmp
memory/4048-646-0x0000023AEE6B0000-0x0000023AEE6CC000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 2d29fd3ae57f422e2b2121141dc82253 |
| SHA1 | c2464c857779c0ab4f5e766f5028fcc651a6c6b7 |
| SHA256 | 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4 |
| SHA512 | 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68 |
memory/4048-648-0x0000023AEE690000-0x0000023AEE69A000-memory.dmp
memory/4048-650-0x0000023AEE6A0000-0x0000023AEE6A8000-memory.dmp
memory/4048-649-0x0000023AEE6F0000-0x0000023AEE70A000-memory.dmp
memory/4048-651-0x0000023AEE6D0000-0x0000023AEE6D6000-memory.dmp
memory/4048-652-0x0000023AEE6E0000-0x0000023AEE6EA000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 3dbcc4cc15c59005befeabc9cbe0f381 |
| SHA1 | c7708e340ab2b8442dcf6da8b4bc8b1bf2c394f9 |
| SHA256 | f0dd48e641cf4190d9432079c7655e66c15f648c44f6ec1eaaf5efd4572dc84b |
| SHA512 | 802f52afbc8b2968c3a27ead3b176eab2d2c14a33d57ee3423dfcde08ed2a354fa395504521232efc30a55f13321b1a4d3addeb5777275e2af0d21d757f03afd |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | d3606800e25f3a502b85f5f7dbf847b5 |
| SHA1 | 5811e7b707afeb8ef7a297ff9fb777ed6a58d91a |
| SHA256 | 511b03f704546274ab36588a391cd5873b576f4e40daa034b490b9bfa30a70ae |
| SHA512 | c77073f1aed3325028918b9729f5f773f998a89debebae24475b49770a80a1c71de011d072c1690ba52d2efda3ec3ca06cba7508434322a763a3406828fac92a |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\08ae7d59313739724b6cc788a7d85a8f_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
| MD5 | 0158fe9cead91d1b027b795984737614 |
| SHA1 | b41a11f909a7bdf1115088790a5680ac4e23031b |
| SHA256 | 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a |
| SHA512 | c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-05 01:42
Reported
2024-07-05 02:05
Platform
win10v2004-20240704-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-05 01:42
Reported
2024-07-05 02:05
Platform
win7-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 01:42
Reported
2024-07-05 02:09
Platform
win7-20240704-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | C:\Windows\System32\svchost.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GoogleUpdateTaskMachineQC\ImagePath = "C:\\ProgramData\\Google\\Chrome\\updater.exe" | C:\Windows\system32\services.exe | N/A |
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Setup.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1356 set thread context of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | C:\Windows\system32\dialer.exe |
| PID 1904 set thread context of 1980 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 1904 set thread context of 2944 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 1904 set thread context of 2284 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\appcompat\programs\RecentFileCache.bcf | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\ABC.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20d1421980ceda01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs | C:\Windows\system32\dialer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\41.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\41.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\509c110ee54d73c3398140a5eb78c45a.exe
"C:\Users\Admin\AppData\Local\Temp\509c110ee54d73c3398140a5eb78c45a.exe"
C:\Users\Admin\AppData\Roaming\ABC.exe
"C:\Users\Admin\AppData\Roaming\ABC.exe"
C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
C:\Users\Admin\AppData\Roaming\41.exe
"C:\Users\Admin\AppData\Roaming\41.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Roaming\ABC.exe
C:\Users\Admin\AppData\Roaming\ABC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 676
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15755720192014896254-1808666175-274203083-2028839435-7329277511095609545-495746830"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p64872182929326299261407120071 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_11.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_10.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6021011401114750911-433279603-723418072-1549055889642296101-1599912456-1008253114"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1032025490-16248635132101383447-201758989433125-157675065-1555366074-1554451277"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9842942921557945975493594508-549411321-8080277431591720984-1729584710271783044"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-123364038817342514811811978500201970493034907933-1114066984-2112942760-822971810"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-804815446935918302875043085-886490957-19548714511147701441-4649241581651169696"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8496198161017432730177476788-1595685426659944330-67352630137560956869960923"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7764555942047793531710555661379887766-452544067-2127428420-128015211-1462490519"
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-598071972679968984965373941795707145-869658268949814995-439877322303315004"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-904520155-645832699-588307577800104122698147699-384767645-102253013214239725"
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
| Country | Destination | Domain | Proto |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| DE | 167.235.223.40:1123 | de.zephyr.herominers.com | tcp |
| NL | 94.156.71.43:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| RU | 89.23.99.145:187 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp |
Files
\Users\Admin\AppData\Roaming\ABC.exe
| MD5 | 2808310786effc87a4359c778a73a7ee |
| SHA1 | 525f278678ad73a34c368f0afc4558ed0454f076 |
| SHA256 | 33d9753ee9b3920352b743d72adfd62c969ab0619eb5673151f478ebdfa197a5 |
| SHA512 | 02348e663f215ff6cf37cccea7ea4da3c53362aa75a1a0a88279b9a0acbf60deb30829b47ff7ce1ae97c43ca52b7e09ca90cbb621fee2da1a0ddcc65677c0d67 |
memory/2808-8-0x0000000072EEE000-0x0000000072EEF000-memory.dmp
memory/2808-11-0x0000000000E60000-0x0000000000E68000-memory.dmp
\Users\Admin\AppData\Roaming\38.exe
| MD5 | ca43f43bd60696a071914f7d56dfb170 |
| SHA1 | 0395c64a4cfc0c5b5e4f0213a2947e8971db0646 |
| SHA256 | c589837b7c914750d50c96183a6133940d0770d0a690c81b7594dafad925b8a9 |
| SHA512 | 5a476ade3e31ecdd01544111912bdf3cc43883c32703b72d698420c1ee7ec839c01cb7eadc7bfdc2f94ea7b4caac2e2a4e3f3ee088f1a1674a242d4db8d4a3be |
C:\Users\Admin\AppData\Roaming\41.exe
| MD5 | d3d07dbbf681e20fb2c58e5a8916a78e |
| SHA1 | 1964d2e5081b7a711fd6de9c48beada5adfe0daf |
| SHA256 | 4911bbaedcca532e468702601a467444f6bfcf65d940bed75fcaaca9d06c8150 |
| SHA512 | 42b2d6cdb522cd374f2b688ac47c62faae5416790a70930088dee5a2fa21561372bbef0bcd2c689b23f01f85347fd5b3c69d3d35193c4c9d57a6fb4251149951 |
memory/2588-27-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/2588-28-0x00000000002F0000-0x00000000002F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 795ed47bc19ab0411368e5dc7aca6e07 |
| SHA1 | 850985565706675ee301d8566b2d53f67f262bf7 |
| SHA256 | 5f34e93c4e86b48cf1a799e6365430cd9fc3f995725d643e29ef5789272aa900 |
| SHA512 | 94509161822c07b48c876d2228e0e1b52aea7dc57b536c359de25f42a5ece221a6fc283d78ccfae2a85173099be48adc31f7ada74c620eb1e69ae07a09fc1341 |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | e885c9465536f062fc721721fa06e903 |
| SHA1 | 2106458467b24cff9b88d850c0a3c89898975c76 |
| SHA256 | 968c86c0f6456a124ebfdd7d2ea4e4ec398148522cdb38246d0f41bc6002e981 |
| SHA512 | e6ea1af4dbc774323308c6e45ae3a9870e7e3f79ab660f6c3acf77fa4615cd20919fe4c048c5c28d24a7f70e73f0da468b86570589aa605552ebf7f743823aaa |
\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip
| MD5 | 8075ea50b2ab44f7c966326454fd36f9 |
| SHA1 | 3779fd6f91b063c1848d5ad5f1565d19ad8dfecd |
| SHA256 | 5fa303944c7f3ebcae8096c0e19155ae275280af73b88e348d9555ae306c8afa |
| SHA512 | 787814480f4d431c5f9939af50bfd33db26818f04b1c5e925d7382d5e9f5acfc661be6ad07eeae80a66541a8edb48d99e5087bb2d3df0f64d3f797deb1f24a58 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip
| MD5 | e10377d5147815c70d80dc19156aaa53 |
| SHA1 | 4ea7ab5c249e008960bb0f676de22b3e56e4a0af |
| SHA256 | a011c602ed35528769f63a473c195a5f69d9bf7611d8497da57a8f0d32f29559 |
| SHA512 | 448cb4731d60a620680e75e45a0ac17a77f945c2947a939d762958635bb7649b02d1b6754508c020311d23f1646abb73ee428f6e1507d828cf6287442d5c7c27 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
| MD5 | 5df06ab0b8c35e23bfea346625eed65b |
| SHA1 | 83de80af6bf3e9cf84c9c8f0d27ad264779505e7 |
| SHA256 | e2a520a96e5f2f67c5a7ece9b3593ee7c584aa626cfbc7c592701e89b22c9995 |
| SHA512 | f396a039d4d145697b08d2834db16b57225c1caa1f1bd6489fc54847c53c29922846558c82085625a0e8e61d60c2a999e902da14921d3309262d9b005b7623ff |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
| MD5 | a2fcdf069cb33a227138c7c51c47d310 |
| SHA1 | 6fdd15e4ff504cf31244b69db19d997f7fe982f2 |
| SHA256 | 0f1d600027dcbc1f9a1257214f84b50b79ab3cd2c5cc32710bbaaa73534fcca7 |
| SHA512 | 70fd3fc47af77c3766970d7e1bbf0e323d2d75fdff568a325f7610a238774f46e91d1633b6c6805a410e3b5ac8d298e5ae3a15850e66ae64c8b1b6fa27a114f7 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | b38062631e88c006d9207a2cab53c38f |
| SHA1 | 33032c590ddb951da06d66bf72dd094435c4f9dd |
| SHA256 | c0c5aaa8727554a536d4b94d859cf68995accf8900809503c0dbe7676acc1a03 |
| SHA512 | 1f75f14348840089f312ddeb724149dab3b26fe5c001940a3f24961063882d1947621495ec63712927e1f9eab9cb3648af64538e98fb54f117f1a67af604eb92 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 1d2bfb868c2435a6d4b8ce54f176f53a |
| SHA1 | d167f754a0dbee66ded83ba45976f25cd15675a1 |
| SHA256 | 63638a0f50d91de6481e4935a0756a7e7580c77eefd951876856b0ca12014f4d |
| SHA512 | fc02bd564314c77f88c5ce500f29630b252928a281e9cb27358e8654f2f05ccb18cd2047a3956dffeeb548679e8d0d3531fa7ac8985d736adcee3dd28161ad63 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | f35f55dcc36764bd3f8c7ee78c8c6183 |
| SHA1 | c14a73b93477a432164feb7c88f3e0a7945ee79a |
| SHA256 | 7b5720d4674c6add26e32b71f5de0b756146b77cae776b228950bce8fca82d34 |
| SHA512 | 73530110dcb560bf961eb69a0296b459717189cd45f98dfa7394888c41c4a1f0529e5524634ade6e35a42e0a173a77c91dbf41538b399c7bec1644c2db2e1a9d |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 74ea54b446d40ac1b028f6fd1c328d82 |
| SHA1 | 237fd55ad9f283d63c2b5990fc75fae3c6798db2 |
| SHA256 | 83b5d02c807446a860dcca710bdf8c2b5dd85c1603f6fca58665a39ab22d94ff |
| SHA512 | 69281509d8f45ddd9a7751557e069f712f0793cf048c207e180033b3fb77dbf388d7a65fac347ee6cbdc11441d3f4fff693c1c9d0e3b98537cb2e7b23d6231a5 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 95b8bfebc75827e00d4166e13021e71b |
| SHA1 | e06f225bc0ff7fc18424fff88281b660a095bd23 |
| SHA256 | 075d77843575cfb5a0be0476059aa55ec88069aeab24802d9ba875c35ea34ac8 |
| SHA512 | 9e4a947efc2134d936b5dfd2ac52880f93ab078f9f02ba174c751a08a604b33c61453234118700cc2ca0d2c05c6171fe3c800d89291ac4ae25ea1fb994b713e9 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | c65fb7a8a19cdf11ea75d3806eab28b6 |
| SHA1 | cae2ed51df810884d6b6f2978b3e36bcffa7a103 |
| SHA256 | 6fe4f7993b5e22feae40b277d7b768f1609c77bfe24beaef8d1a4d96f35accdf |
| SHA512 | 9867531acf3399b497da3d14c50fe6e926620c213650487c6c2583f2848e6f5ae27d6bd09fca6889cea66ef1e8eca370cb26710aba1eab179955d92183b03c8e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | b4d0e4e5e65dae0261e6389dacfc1af1 |
| SHA1 | 98a96294a6fa43d2ed037b377b32d3ee876da81a |
| SHA256 | c1978fb5525c7e32d5eaba3feceedfe4e28ef8731c3c8d2f36bfdf1c76fb6265 |
| SHA512 | fdb5a26e1944a26808ecdb8856bc11f873377ecfa97b55d350685b4c094d6428697afdd4e460cee9641cef9d726ef4e2b50d5018e7c37866c0b7efff86882ce1 |
memory/2588-139-0x0000000000AE0000-0x0000000000BA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp771.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 6cccdd6d57dc7e0ef53a5f1ff7594379 |
| SHA1 | eb426634b4c58e7940a0933a0312013f2f79f1e7 |
| SHA256 | e2a5a2542286ea0a7e01de7f6d118f697915b34c3a0f39e78a0473bbae892c45 |
| SHA512 | 65297335ed0022cba7c99e1526c2478c6858dd1c73bbe49e1b4116ad191de055edaa6c0ff25aaddcb732c9b9261141b5de760d552d3b1679de5a717204aec958 |
memory/2796-223-0x000000001B3E0000-0x000000001B6C2000-memory.dmp
memory/2796-224-0x00000000026B0000-0x00000000026B8000-memory.dmp
memory/1164-229-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1164-231-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1164-234-0x0000000140000000-0x000000014002B000-memory.dmp
memory/432-237-0x0000000000C70000-0x0000000000C94000-memory.dmp
memory/492-253-0x0000000037430000-0x0000000037440000-memory.dmp
memory/676-289-0x00000000002E0000-0x000000000030B000-memory.dmp
memory/596-284-0x0000000037430000-0x0000000037440000-memory.dmp
memory/596-282-0x000007FEBE820000-0x000007FEBE830000-memory.dmp
memory/596-280-0x0000000000410000-0x000000000043B000-memory.dmp
memory/476-275-0x0000000037430000-0x0000000037440000-memory.dmp
memory/476-274-0x000007FEBE820000-0x000007FEBE830000-memory.dmp
memory/492-252-0x000007FEBE820000-0x000007FEBE830000-memory.dmp
memory/492-251-0x0000000000A10000-0x0000000000A3B000-memory.dmp
memory/476-247-0x0000000000D20000-0x0000000000D4B000-memory.dmp
memory/432-242-0x0000000037430000-0x0000000037440000-memory.dmp
memory/432-241-0x000007FEBE820000-0x000007FEBE830000-memory.dmp
memory/432-240-0x0000000000ED0000-0x0000000000EFB000-memory.dmp
memory/432-239-0x0000000000C70000-0x0000000000C94000-memory.dmp
memory/1164-232-0x00000000773F0000-0x0000000077599000-memory.dmp
memory/1164-228-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1164-227-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1164-233-0x00000000772D0000-0x00000000773EF000-memory.dmp
memory/1164-226-0x0000000140000000-0x000000014002B000-memory.dmp
memory/2472-471-0x000000001A0F0000-0x000000001A3D2000-memory.dmp
memory/2472-472-0x0000000000A10000-0x0000000000A18000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3294248377-1418901787-4083263181-1000\76b53b3ec448f7ccdda2063b15d2bfc3_ecb53134-212c-4ea0-b42c-6ba9df06ace3
| MD5 | 0158fe9cead91d1b027b795984737614 |
| SHA1 | b41a11f909a7bdf1115088790a5680ac4e23031b |
| SHA256 | 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a |
| SHA512 | c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3294248377-1418901787-4083263181-1000\76b53b3ec448f7ccdda2063b15d2bfc3_ecb53134-212c-4ea0-b42c-6ba9df06ace3
| MD5 | 06db9f2430d2e55a29a37dcadaee0816 |
| SHA1 | d318c18e52439deaab4242884d493b805f73e416 |
| SHA256 | 40300fad485bfad711a47b87ae9f524d655efa3b6bd71ae2b8a7934a03812d39 |
| SHA512 | 16638077a46ade24918c77b536c19175b1d320f3401fab0eeacc5647e72be2a6bb124e1da908af8e7d4892d6db72544a676fac0009233e5b87d08a71a7758f24 |