Malware Analysis Report

2025-01-22 09:23

Sample ID 240705-cbbwlszclr
Target dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe
SHA256 dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6
Tags
redline evasion execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6

Threat Level: Known bad

The file dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe was found to be: Known bad.

Malicious Activity Summary

redline evasion execution infostealer persistence

RedLine

Modifies security service

RedLine payload

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Stops running service(s)

Creates new service(s)

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Power Settings

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Modifies registry class

Checks processor information in registry

Modifies data under HKEY_USERS

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 01:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 01:53

Reported

2024-07-05 06:26

Platform

win7-20240704-en

Max time kernel

150s

Max time network

136s

Command Line

winlogon.exe

Signatures

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Google\Chrome\updater.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GoogleUpdateTaskMachineQC\ImagePath = "C:\\ProgramData\\Google\\Chrome\\updater.exe" C:\Windows\system32\services.exe N/A

Stops running service(s)

evasion execution

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\services.exe N/A
N/A N/A C:\Windows\system32\services.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 672 set thread context of 2756 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 1720 set thread context of 2004 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 1720 set thread context of 1920 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 1720 set thread context of 1176 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\ABC.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0a11305a4ceda01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs C:\Windows\system32\dialer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\41.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ABC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ABC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ABC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ABC.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\ABC.exe
PID 2380 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\ABC.exe
PID 2380 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\ABC.exe
PID 2380 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\ABC.exe
PID 2380 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 2380 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 2380 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 2380 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 2380 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 2380 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 2380 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 2380 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\41.exe
PID 2380 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\41.exe
PID 2380 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\41.exe
PID 2380 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\41.exe
PID 2616 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\ABC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2616 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\ABC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2616 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\ABC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2616 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\ABC.exe C:\Windows\SysWOW64\WerFault.exe
PID 560 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\38.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\38.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\38.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\38.exe C:\Windows\system32\cmd.exe
PID 492 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 492 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 492 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 492 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 492 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 492 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe

"C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe"

C:\Users\Admin\AppData\Roaming\ABC.exe

"C:\Users\Admin\AppData\Roaming\ABC.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Roaming\38.exe

"C:\Users\Admin\AppData\Roaming\38.exe"

C:\Users\Admin\AppData\Roaming\41.exe

"C:\Users\Admin\AppData\Roaming\41.exe"

C:\Users\Admin\AppData\Roaming\ABC.exe

C:\Users\Admin\AppData\Roaming\ABC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 676

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "375461392-877316682822244523-77661076-76464429219837756671080840118-2055651943"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p64872182929326299261407120071 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_11.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_10.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_9.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_8.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "Installer.exe"

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

"Installer.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-939313817-245503649484863617-9549389821505461929590127641-1623823744-743335724"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1368000484-8144914111198794960-1655873121-680794391947412583-272230512-1990848342"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-700112165-403262288-1384162780-388300848-17318812051967831995-1517940585-1129843692"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1159994726-19645259331477066112-1467492739-1521438587-196501832-2792576951650656381"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-611737844-1519881380679426512415308391-588114600-553462486928657289-1968935080"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1174715922-2050047864-132058380081892099971662592632582374624086014743516934"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1922415803998143850-3335201281048759357-1096954993-29112716-754154999-1777647884"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9081224002049501575-12174555338395333332013341216-303399592-745293177-352200924"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9508994-629613403-352150152-20373080091364387388-7940496171289551812-340898121"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1327210572-1576491022558799695267246561177468988966779458511966468951891605459"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "758506817-345588087-641959968-964399278-1095660541942335566-16794579382093848688"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20246761641464791014-1860290998909453719-2049713877557083665-21024631691927203508"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1990595239-883856892-1921404899-2092240589191314630-11885182561664618127587226333"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Network

Country Destination Domain Proto
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
US 8.8.8.8:53 de.zephyr.herominers.com udp
NL 94.156.71.43:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
RU 89.23.99.145:187 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp
NL 94.156.71.43:80 tcp

Files

\Users\Admin\AppData\Roaming\ABC.exe

MD5 2808310786effc87a4359c778a73a7ee
SHA1 525f278678ad73a34c368f0afc4558ed0454f076
SHA256 33d9753ee9b3920352b743d72adfd62c969ab0619eb5673151f478ebdfa197a5
SHA512 02348e663f215ff6cf37cccea7ea4da3c53362aa75a1a0a88279b9a0acbf60deb30829b47ff7ce1ae97c43ca52b7e09ca90cbb621fee2da1a0ddcc65677c0d67

memory/2412-8-0x000000007352E000-0x000000007352F000-memory.dmp

memory/2412-9-0x0000000000C60000-0x0000000000C68000-memory.dmp

C:\Users\Admin\AppData\Roaming\38.exe

MD5 ca43f43bd60696a071914f7d56dfb170
SHA1 0395c64a4cfc0c5b5e4f0213a2947e8971db0646
SHA256 c589837b7c914750d50c96183a6133940d0770d0a690c81b7594dafad925b8a9
SHA512 5a476ade3e31ecdd01544111912bdf3cc43883c32703b72d698420c1ee7ec839c01cb7eadc7bfdc2f94ea7b4caac2e2a4e3f3ee088f1a1674a242d4db8d4a3be

memory/2908-27-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

C:\Users\Admin\AppData\Roaming\41.exe

MD5 d3d07dbbf681e20fb2c58e5a8916a78e
SHA1 1964d2e5081b7a711fd6de9c48beada5adfe0daf
SHA256 4911bbaedcca532e468702601a467444f6bfcf65d940bed75fcaaca9d06c8150
SHA512 42b2d6cdb522cd374f2b688ac47c62faae5416790a70930088dee5a2fa21561372bbef0bcd2c689b23f01f85347fd5b3c69d3d35193c4c9d57a6fb4251149951

memory/2908-28-0x0000000000390000-0x0000000000398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 795ed47bc19ab0411368e5dc7aca6e07
SHA1 850985565706675ee301d8566b2d53f67f262bf7
SHA256 5f34e93c4e86b48cf1a799e6365430cd9fc3f995725d643e29ef5789272aa900
SHA512 94509161822c07b48c876d2228e0e1b52aea7dc57b536c359de25f42a5ece221a6fc283d78ccfae2a85173099be48adc31f7ada74c620eb1e69ae07a09fc1341

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 e885c9465536f062fc721721fa06e903
SHA1 2106458467b24cff9b88d850c0a3c89898975c76
SHA256 968c86c0f6456a124ebfdd7d2ea4e4ec398148522cdb38246d0f41bc6002e981
SHA512 e6ea1af4dbc774323308c6e45ae3a9870e7e3f79ab660f6c3acf77fa4615cd20919fe4c048c5c28d24a7f70e73f0da468b86570589aa605552ebf7f743823aaa

\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip

MD5 8075ea50b2ab44f7c966326454fd36f9
SHA1 3779fd6f91b063c1848d5ad5f1565d19ad8dfecd
SHA256 5fa303944c7f3ebcae8096c0e19155ae275280af73b88e348d9555ae306c8afa
SHA512 787814480f4d431c5f9939af50bfd33db26818f04b1c5e925d7382d5e9f5acfc661be6ad07eeae80a66541a8edb48d99e5087bb2d3df0f64d3f797deb1f24a58

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

MD5 e10377d5147815c70d80dc19156aaa53
SHA1 4ea7ab5c249e008960bb0f676de22b3e56e4a0af
SHA256 a011c602ed35528769f63a473c195a5f69d9bf7611d8497da57a8f0d32f29559
SHA512 448cb4731d60a620680e75e45a0ac17a77f945c2947a939d762958635bb7649b02d1b6754508c020311d23f1646abb73ee428f6e1507d828cf6287442d5c7c27

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

MD5 5df06ab0b8c35e23bfea346625eed65b
SHA1 83de80af6bf3e9cf84c9c8f0d27ad264779505e7
SHA256 e2a520a96e5f2f67c5a7ece9b3593ee7c584aa626cfbc7c592701e89b22c9995
SHA512 f396a039d4d145697b08d2834db16b57225c1caa1f1bd6489fc54847c53c29922846558c82085625a0e8e61d60c2a999e902da14921d3309262d9b005b7623ff

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

MD5 a2fcdf069cb33a227138c7c51c47d310
SHA1 6fdd15e4ff504cf31244b69db19d997f7fe982f2
SHA256 0f1d600027dcbc1f9a1257214f84b50b79ab3cd2c5cc32710bbaaa73534fcca7
SHA512 70fd3fc47af77c3766970d7e1bbf0e323d2d75fdff568a325f7610a238774f46e91d1633b6c6805a410e3b5ac8d298e5ae3a15850e66ae64c8b1b6fa27a114f7

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 b38062631e88c006d9207a2cab53c38f
SHA1 33032c590ddb951da06d66bf72dd094435c4f9dd
SHA256 c0c5aaa8727554a536d4b94d859cf68995accf8900809503c0dbe7676acc1a03
SHA512 1f75f14348840089f312ddeb724149dab3b26fe5c001940a3f24961063882d1947621495ec63712927e1f9eab9cb3648af64538e98fb54f117f1a67af604eb92

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 1d2bfb868c2435a6d4b8ce54f176f53a
SHA1 d167f754a0dbee66ded83ba45976f25cd15675a1
SHA256 63638a0f50d91de6481e4935a0756a7e7580c77eefd951876856b0ca12014f4d
SHA512 fc02bd564314c77f88c5ce500f29630b252928a281e9cb27358e8654f2f05ccb18cd2047a3956dffeeb548679e8d0d3531fa7ac8985d736adcee3dd28161ad63

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 f35f55dcc36764bd3f8c7ee78c8c6183
SHA1 c14a73b93477a432164feb7c88f3e0a7945ee79a
SHA256 7b5720d4674c6add26e32b71f5de0b756146b77cae776b228950bce8fca82d34
SHA512 73530110dcb560bf961eb69a0296b459717189cd45f98dfa7394888c41c4a1f0529e5524634ade6e35a42e0a173a77c91dbf41538b399c7bec1644c2db2e1a9d

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 74ea54b446d40ac1b028f6fd1c328d82
SHA1 237fd55ad9f283d63c2b5990fc75fae3c6798db2
SHA256 83b5d02c807446a860dcca710bdf8c2b5dd85c1603f6fca58665a39ab22d94ff
SHA512 69281509d8f45ddd9a7751557e069f712f0793cf048c207e180033b3fb77dbf388d7a65fac347ee6cbdc11441d3f4fff693c1c9d0e3b98537cb2e7b23d6231a5

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 95b8bfebc75827e00d4166e13021e71b
SHA1 e06f225bc0ff7fc18424fff88281b660a095bd23
SHA256 075d77843575cfb5a0be0476059aa55ec88069aeab24802d9ba875c35ea34ac8
SHA512 9e4a947efc2134d936b5dfd2ac52880f93ab078f9f02ba174c751a08a604b33c61453234118700cc2ca0d2c05c6171fe3c800d89291ac4ae25ea1fb994b713e9

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 c65fb7a8a19cdf11ea75d3806eab28b6
SHA1 cae2ed51df810884d6b6f2978b3e36bcffa7a103
SHA256 6fe4f7993b5e22feae40b277d7b768f1609c77bfe24beaef8d1a4d96f35accdf
SHA512 9867531acf3399b497da3d14c50fe6e926620c213650487c6c2583f2848e6f5ae27d6bd09fca6889cea66ef1e8eca370cb26710aba1eab179955d92183b03c8e

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 b4d0e4e5e65dae0261e6389dacfc1af1
SHA1 98a96294a6fa43d2ed037b377b32d3ee876da81a
SHA256 c1978fb5525c7e32d5eaba3feceedfe4e28ef8731c3c8d2f36bfdf1c76fb6265
SHA512 fdb5a26e1944a26808ecdb8856bc11f873377ecfa97b55d350685b4c094d6428697afdd4e460cee9641cef9d726ef4e2b50d5018e7c37866c0b7efff86882ce1

memory/2908-139-0x0000000007070000-0x0000000007132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp28F5.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2100-174-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2100-175-0x0000000002200000-0x0000000002208000-memory.dmp

memory/2756-177-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2756-180-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2756-179-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2756-178-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2756-182-0x0000000140000000-0x000000014002B000-memory.dmp

memory/480-213-0x0000000037A70000-0x0000000037A80000-memory.dmp

memory/488-221-0x0000000037A70000-0x0000000037A80000-memory.dmp

memory/488-219-0x000007FEBFC80000-0x000007FEBFC90000-memory.dmp

memory/488-217-0x0000000000100000-0x000000000012B000-memory.dmp

memory/480-212-0x000007FEBFC80000-0x000007FEBFC90000-memory.dmp

memory/480-209-0x0000000000EA0000-0x0000000000ECB000-memory.dmp

memory/432-193-0x0000000037A70000-0x0000000037A80000-memory.dmp

memory/432-192-0x000007FEBFC80000-0x000007FEBFC90000-memory.dmp

memory/432-191-0x0000000000220000-0x000000000024B000-memory.dmp

memory/432-190-0x00000000001F0000-0x0000000000214000-memory.dmp

memory/432-188-0x00000000001F0000-0x0000000000214000-memory.dmp

memory/2756-185-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2756-184-0x0000000077810000-0x000000007792F000-memory.dmp

memory/2756-183-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/688-518-0x000000001A1D0000-0x000000001A4B2000-memory.dmp

memory/688-520-0x00000000002C0000-0x00000000002C8000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 b57877de1b7376281de67c1851237e5e
SHA1 c9f6ade97f24883c91fd63b0b5a8eaf1a03e2378
SHA256 2f66cbc49cf47faba3316209ab86cac15de1a16446a285456dad36f02829aec9
SHA512 7df483f9dc1065fbfa3199d078f32d9fbc5796f9da3a415e7c563b3581fc3a65300483639f0a6179a5d1b29a085b1f3634280a5eec0cfdb9f1f9c56245bbd6d0

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3450744190-3404161390-554719085-1000\76b53b3ec448f7ccdda2063b15d2bfc3_35dd7637-4d7c-4a57-bd86-689f7bd65008

MD5 0158fe9cead91d1b027b795984737614
SHA1 b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512 c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3450744190-3404161390-554719085-1000\76b53b3ec448f7ccdda2063b15d2bfc3_35dd7637-4d7c-4a57-bd86-689f7bd65008

MD5 6039b6be542bd61023ae2be1ae854d40
SHA1 efc1a055481ac729d62715e54fd306aca624383f
SHA256 6a1ead0dcab8318feef7aa2799cd9903481930e8fe25978be2656894af05cb4f
SHA512 34a4869476d2aac78a79e2704fc9d5af0b4e77807dc7aade0612f3ad21978dbf52a156b61886b2bdbe3830a036778b136349c0f3c78cecccebb146037e8b214c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 01:53

Reported

2024-07-05 06:26

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

155s

Command Line

winlogon.exe

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\38.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1776 set thread context of 2076 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 4976 set thread context of 3112 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 4976 set thread context of 2600 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 4976 set thread context of 1560 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\ABC.exe

Checks processor information in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720160753" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\system32\dialer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\41.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ABC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ABC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ABC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ABC.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\41.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\ABC.exe
PID 3632 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\ABC.exe
PID 3632 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\ABC.exe
PID 3632 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 3632 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 3632 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\38.exe
PID 3632 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\41.exe
PID 3632 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\41.exe
PID 3632 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe C:\Users\Admin\AppData\Roaming\41.exe
PID 3944 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Roaming\38.exe C:\Windows\system32\cmd.exe
PID 3944 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Roaming\38.exe C:\Windows\system32\cmd.exe
PID 3872 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3872 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3872 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3872 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3872 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3872 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 3872 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 1104 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1104 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1776 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 1776 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 1776 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 1776 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 1776 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 1776 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 1776 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\system32\dialer.exe
PID 2076 wrote to memory of 616 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 2076 wrote to memory of 676 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 2076 wrote to memory of 944 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2076 wrote to memory of 1008 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 2076 wrote to memory of 516 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2076 wrote to memory of 940 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2076 wrote to memory of 1040 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2076 wrote to memory of 1112 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2076 wrote to memory of 1196 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2076 wrote to memory of 1212 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2076 wrote to memory of 1260 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2076 wrote to memory of 1308 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2076 wrote to memory of 1352 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2076 wrote to memory of 1420 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe

"C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Roaming\ABC.exe

"C:\Users\Admin\AppData\Roaming\ABC.exe"

C:\Users\Admin\AppData\Roaming\38.exe

"C:\Users\Admin\AppData\Roaming\38.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Roaming\41.exe

"C:\Users\Admin\AppData\Roaming\41.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Roaming\ABC.exe

C:\Users\Admin\AppData\Roaming\ABC.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4420 -ip 4420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1032

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p64872182929326299261407120071 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_11.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_10.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_9.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_8.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "Installer.exe"

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

"Installer.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 de.zephyr.herominers.com udp
DE 167.235.223.40:1123 de.zephyr.herominers.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 40.223.235.167.in-addr.arpa udp
RU 89.23.99.145:187 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 145.99.23.89.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\ABC.exe

MD5 2808310786effc87a4359c778a73a7ee
SHA1 525f278678ad73a34c368f0afc4558ed0454f076
SHA256 33d9753ee9b3920352b743d72adfd62c969ab0619eb5673151f478ebdfa197a5
SHA512 02348e663f215ff6cf37cccea7ea4da3c53362aa75a1a0a88279b9a0acbf60deb30829b47ff7ce1ae97c43ca52b7e09ca90cbb621fee2da1a0ddcc65677c0d67

memory/1932-60-0x000000007268E000-0x000000007268F000-memory.dmp

memory/1932-61-0x0000000000B40000-0x0000000000B48000-memory.dmp

memory/1932-62-0x0000000005510000-0x0000000005576000-memory.dmp

C:\Users\Admin\AppData\Roaming\38.exe

MD5 ca43f43bd60696a071914f7d56dfb170
SHA1 0395c64a4cfc0c5b5e4f0213a2947e8971db0646
SHA256 c589837b7c914750d50c96183a6133940d0770d0a690c81b7594dafad925b8a9
SHA512 5a476ade3e31ecdd01544111912bdf3cc43883c32703b72d698420c1ee7ec839c01cb7eadc7bfdc2f94ea7b4caac2e2a4e3f3ee088f1a1674a242d4db8d4a3be

C:\Users\Admin\AppData\Roaming\41.exe

MD5 d3d07dbbf681e20fb2c58e5a8916a78e
SHA1 1964d2e5081b7a711fd6de9c48beada5adfe0daf
SHA256 4911bbaedcca532e468702601a467444f6bfcf65d940bed75fcaaca9d06c8150
SHA512 42b2d6cdb522cd374f2b688ac47c62faae5416790a70930088dee5a2fa21561372bbef0bcd2c689b23f01f85347fd5b3c69d3d35193c4c9d57a6fb4251149951

memory/744-184-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

memory/744-185-0x0000000072680000-0x0000000072E30000-memory.dmp

memory/744-186-0x00000000054C0000-0x00000000054C8000-memory.dmp

memory/744-188-0x0000000007B90000-0x0000000007C22000-memory.dmp

memory/744-187-0x0000000008140000-0x00000000086E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 795ed47bc19ab0411368e5dc7aca6e07
SHA1 850985565706675ee301d8566b2d53f67f262bf7
SHA256 5f34e93c4e86b48cf1a799e6365430cd9fc3f995725d643e29ef5789272aa900
SHA512 94509161822c07b48c876d2228e0e1b52aea7dc57b536c359de25f42a5ece221a6fc283d78ccfae2a85173099be48adc31f7ada74c620eb1e69ae07a09fc1341

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 e885c9465536f062fc721721fa06e903
SHA1 2106458467b24cff9b88d850c0a3c89898975c76
SHA256 968c86c0f6456a124ebfdd7d2ea4e4ec398148522cdb38246d0f41bc6002e981
SHA512 e6ea1af4dbc774323308c6e45ae3a9870e7e3f79ab660f6c3acf77fa4615cd20919fe4c048c5c28d24a7f70e73f0da468b86570589aa605552ebf7f743823aaa

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip

MD5 8075ea50b2ab44f7c966326454fd36f9
SHA1 3779fd6f91b063c1848d5ad5f1565d19ad8dfecd
SHA256 5fa303944c7f3ebcae8096c0e19155ae275280af73b88e348d9555ae306c8afa
SHA512 787814480f4d431c5f9939af50bfd33db26818f04b1c5e925d7382d5e9f5acfc661be6ad07eeae80a66541a8edb48d99e5087bb2d3df0f64d3f797deb1f24a58

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

MD5 e10377d5147815c70d80dc19156aaa53
SHA1 4ea7ab5c249e008960bb0f676de22b3e56e4a0af
SHA256 a011c602ed35528769f63a473c195a5f69d9bf7611d8497da57a8f0d32f29559
SHA512 448cb4731d60a620680e75e45a0ac17a77f945c2947a939d762958635bb7649b02d1b6754508c020311d23f1646abb73ee428f6e1507d828cf6287442d5c7c27

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

MD5 5df06ab0b8c35e23bfea346625eed65b
SHA1 83de80af6bf3e9cf84c9c8f0d27ad264779505e7
SHA256 e2a520a96e5f2f67c5a7ece9b3593ee7c584aa626cfbc7c592701e89b22c9995
SHA512 f396a039d4d145697b08d2834db16b57225c1caa1f1bd6489fc54847c53c29922846558c82085625a0e8e61d60c2a999e902da14921d3309262d9b005b7623ff

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

MD5 a2fcdf069cb33a227138c7c51c47d310
SHA1 6fdd15e4ff504cf31244b69db19d997f7fe982f2
SHA256 0f1d600027dcbc1f9a1257214f84b50b79ab3cd2c5cc32710bbaaa73534fcca7
SHA512 70fd3fc47af77c3766970d7e1bbf0e323d2d75fdff568a325f7610a238774f46e91d1633b6c6805a410e3b5ac8d298e5ae3a15850e66ae64c8b1b6fa27a114f7

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 b38062631e88c006d9207a2cab53c38f
SHA1 33032c590ddb951da06d66bf72dd094435c4f9dd
SHA256 c0c5aaa8727554a536d4b94d859cf68995accf8900809503c0dbe7676acc1a03
SHA512 1f75f14348840089f312ddeb724149dab3b26fe5c001940a3f24961063882d1947621495ec63712927e1f9eab9cb3648af64538e98fb54f117f1a67af604eb92

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 1d2bfb868c2435a6d4b8ce54f176f53a
SHA1 d167f754a0dbee66ded83ba45976f25cd15675a1
SHA256 63638a0f50d91de6481e4935a0756a7e7580c77eefd951876856b0ca12014f4d
SHA512 fc02bd564314c77f88c5ce500f29630b252928a281e9cb27358e8654f2f05ccb18cd2047a3956dffeeb548679e8d0d3531fa7ac8985d736adcee3dd28161ad63

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 f35f55dcc36764bd3f8c7ee78c8c6183
SHA1 c14a73b93477a432164feb7c88f3e0a7945ee79a
SHA256 7b5720d4674c6add26e32b71f5de0b756146b77cae776b228950bce8fca82d34
SHA512 73530110dcb560bf961eb69a0296b459717189cd45f98dfa7394888c41c4a1f0529e5524634ade6e35a42e0a173a77c91dbf41538b399c7bec1644c2db2e1a9d

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 74ea54b446d40ac1b028f6fd1c328d82
SHA1 237fd55ad9f283d63c2b5990fc75fae3c6798db2
SHA256 83b5d02c807446a860dcca710bdf8c2b5dd85c1603f6fca58665a39ab22d94ff
SHA512 69281509d8f45ddd9a7751557e069f712f0793cf048c207e180033b3fb77dbf388d7a65fac347ee6cbdc11441d3f4fff693c1c9d0e3b98537cb2e7b23d6231a5

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 95b8bfebc75827e00d4166e13021e71b
SHA1 e06f225bc0ff7fc18424fff88281b660a095bd23
SHA256 075d77843575cfb5a0be0476059aa55ec88069aeab24802d9ba875c35ea34ac8
SHA512 9e4a947efc2134d936b5dfd2ac52880f93ab078f9f02ba174c751a08a604b33c61453234118700cc2ca0d2c05c6171fe3c800d89291ac4ae25ea1fb994b713e9

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 c65fb7a8a19cdf11ea75d3806eab28b6
SHA1 cae2ed51df810884d6b6f2978b3e36bcffa7a103
SHA256 6fe4f7993b5e22feae40b277d7b768f1609c77bfe24beaef8d1a4d96f35accdf
SHA512 9867531acf3399b497da3d14c50fe6e926620c213650487c6c2583f2848e6f5ae27d6bd09fca6889cea66ef1e8eca370cb26710aba1eab179955d92183b03c8e

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 b4d0e4e5e65dae0261e6389dacfc1af1
SHA1 98a96294a6fa43d2ed037b377b32d3ee876da81a
SHA256 c1978fb5525c7e32d5eaba3feceedfe4e28ef8731c3c8d2f36bfdf1c76fb6265
SHA512 fdb5a26e1944a26808ecdb8856bc11f873377ecfa97b55d350685b4c094d6428697afdd4e460cee9641cef9d726ef4e2b50d5018e7c37866c0b7efff86882ce1

C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

MD5 9903ce550118ee2389f78891423ea887
SHA1 f4c28f83efce975439f3711d34662587da4f4064
SHA256 932928c1c0d4302eefe3b53f86158219b4aa3ca5285c9faf14d0f0c684bdcb26
SHA512 88ea20d8b5197d43835ea54ff0645997f53b12d68556bbb936b2347951ea3fa8d6931c917bb6ff3d9023d2ae5be1fae1e1e16da7740fd100ee9f581c88d60acb

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 a9b2ea6a4101270c84eb55203ec2c9ce
SHA1 17e1f16fb2e6585c6113cebe376b76fffd7efebc
SHA256 9d768485e32ce6480248b5829bd0ea436547ea67312290a96306c8941e73d5b4
SHA512 333d27dc38006b96e03bdf9dc92619b8fba75f63574f27924555e4e61e689dd2abfb5f19ab75c9c830cb21ff13b64594fe76e01d348895d177f2d7b9b8ea3fdb

memory/744-282-0x0000000072680000-0x0000000072E30000-memory.dmp

memory/744-283-0x0000000007E30000-0x0000000007EF2000-memory.dmp

memory/744-284-0x0000000007F00000-0x0000000007F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp2F97.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/744-301-0x000000000ABC0000-0x000000000AC36000-memory.dmp

memory/744-304-0x0000000006D50000-0x0000000006D6E000-memory.dmp

memory/744-308-0x0000000072680000-0x0000000072E30000-memory.dmp

memory/1156-312-0x000002A7E5BE0000-0x000002A7E5C02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pm5tukxg.elg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2076-322-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2076-321-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2076-323-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2076-328-0x00007FFAF8460000-0x00007FFAF851E000-memory.dmp

memory/2076-327-0x00007FFAF8BF0000-0x00007FFAF8DE5000-memory.dmp

memory/2076-326-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2076-324-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2076-331-0x0000000140000000-0x000000014002B000-memory.dmp

memory/676-341-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1008-346-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1008-345-0x00000260F9A10000-0x00000260F9A3B000-memory.dmp

memory/516-354-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1212-373-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1308-387-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1308-386-0x000001CE68B80000-0x000001CE68BAB000-memory.dmp

memory/1260-377-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1260-376-0x000001F01D170000-0x000001F01D19B000-memory.dmp

memory/1212-372-0x0000011B2A830000-0x0000011B2A85B000-memory.dmp

memory/1196-370-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1196-369-0x000001AFAB660000-0x000001AFAB68B000-memory.dmp

memory/1112-367-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1112-366-0x00000238151A0000-0x00000238151CB000-memory.dmp

memory/1040-364-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/1040-363-0x00000215BEAF0000-0x00000215BEB1B000-memory.dmp

memory/940-357-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/940-356-0x000001B875C90000-0x000001B875CBB000-memory.dmp

memory/516-353-0x000002D94FFB0000-0x000002D94FFDB000-memory.dmp

memory/944-349-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/944-348-0x000001E3877D0000-0x000001E3877FB000-memory.dmp

memory/676-340-0x000002D2EC240000-0x000002D2EC26B000-memory.dmp

memory/616-337-0x00007FFAB8C70000-0x00007FFAB8C80000-memory.dmp

memory/616-336-0x0000016A54790000-0x0000016A547BB000-memory.dmp

memory/616-335-0x0000016A54760000-0x0000016A54784000-memory.dmp

memory/2596-623-0x0000020AA6730000-0x0000020AA674C000-memory.dmp

memory/2596-624-0x0000020AA6750000-0x0000020AA6805000-memory.dmp

memory/2596-625-0x0000020AA6810000-0x0000020AA681A000-memory.dmp

memory/2596-626-0x0000020AA6980000-0x0000020AA699C000-memory.dmp

memory/2596-627-0x0000020AA6960000-0x0000020AA696A000-memory.dmp

memory/2596-628-0x0000020AA69C0000-0x0000020AA69DA000-memory.dmp

memory/2596-629-0x0000020AA6970000-0x0000020AA6978000-memory.dmp

memory/2596-630-0x0000020AA69A0000-0x0000020AA69A6000-memory.dmp

memory/2596-631-0x0000020AA69B0000-0x0000020AA69BA000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-05 01:53

Reported

2024-07-05 06:21

Platform

win7-20240704-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-05 01:53

Reported

2024-07-05 06:21

Platform

win10v2004-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-05 01:53

Reported

2024-07-05 06:21

Platform

win7-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-05 01:53

Reported

2024-07-05 06:21

Platform

win10v2004-20240704-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-05 01:53

Reported

2024-07-05 06:21

Platform

win7-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-05 01:53

Reported

2024-07-05 06:21

Platform

win10v2004-20240704-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A