Analysis Overview
SHA256
dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6
Threat Level: Known bad
The file dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Sets service image path in registry
Drops file in Drivers directory
Creates new service(s)
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Power Settings
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: LoadsDriver
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 19:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-05 19:42
Reported
2024-07-05 19:42
Platform
win7-20240220-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-05 19:42
Reported
2024-07-05 19:42
Platform
win7-20240704-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-05 19:42
Reported
2024-07-05 19:42
Platform
win10v2004-20240704-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-05 19:42
Reported
2024-07-05 19:42
Platform
win7-20240705-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-05 19:42
Reported
2024-07-05 19:42
Platform
win10v2004-20240704-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 19:42
Reported
2024-07-05 19:45
Platform
win7-20240704-en
Max time kernel
106s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GoogleUpdateTaskMachineQC\ImagePath = "C:\\ProgramData\\Google\\Chrome\\updater.exe" | C:\Windows\system32\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Windows\\TEMP\\anattlyrpouo.sys" | C:\Windows\system32\services.exe | N/A |
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1956 set thread context of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | C:\Windows\system32\dialer.exe |
| PID 1876 set thread context of 2272 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 1876 set thread context of 2300 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 1876 set thread context of 2168 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File opened for modification | C:\Windows\appcompat\programs\RecentFileCache.bcf | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\ABC.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 1075e89b13cfda01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates | C:\Windows\system32\dialer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\41.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\services.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe
"C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe"
C:\Users\Admin\AppData\Roaming\ABC.exe
"C:\Users\Admin\AppData\Roaming\ABC.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
C:\Users\Admin\AppData\Roaming\41.exe
"C:\Users\Admin\AppData\Roaming\41.exe"
C:\Users\Admin\AppData\Roaming\ABC.exe
C:\Users\Admin\AppData\Roaming\ABC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 672
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-184301613-4798283535516588212010079181157871670-184988405714161996241035852619"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p64872182929326299261407120071 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_11.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_10.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15179244031422685989813583280-293851907-982253654-825418134-15902357942108730949"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2004069347-426715548136707134-12006809101936272921308212996-820412608-1808220017"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "380644860-21230322671447715091-1881546743-919929904-2126305381910571089-1039390609"
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-410777211243214017-1813430843154141716618370656535991061551617209783190095993"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "22990240215779931932993127311091439361-13596947521558950331221671421-2015657862"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8689134762810361688957438501501856273-692230562-828165813114814868-789988073"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-994506526-559010373139169158836996843816703817531610946645-1713514063-165964972"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1992331191283917777-677099097-259199556-207415800-4595428331670543420-747813977"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1684416384663864775-1412425650-1711302451-332945618-1911324186041761811823066591"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1489012587-644609617-91120076620013013252123034365213313278518818113238889140"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "712411761-7622633961199705435-532010761-98926334-83160345705882653-179792193"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1799701134-1328734310-1967077938-407849458-93277793-242308344-884807159-2021307002"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1681300082-64000574515890233836226394741306468642-9282886881412157150687273744"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "666772692-48091444460863942-643137625-1036104302664478808-11984193711038082343"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11747005891248970143-1880529691354264965-2813229222131493043-20933060401450246251"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1022327541-21286101401604694915-1002267678-1236725605-1631017879-1786946674-1631799675"
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
| Country | Destination | Domain | Proto |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| DE | 167.235.223.40:1123 | de.zephyr.herominers.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| RU | 89.23.99.145:187 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp | |
| NL | 94.156.71.43:80 | tcp |
Files
\Users\Admin\AppData\Roaming\ABC.exe
| MD5 | 2808310786effc87a4359c778a73a7ee |
| SHA1 | 525f278678ad73a34c368f0afc4558ed0454f076 |
| SHA256 | 33d9753ee9b3920352b743d72adfd62c969ab0619eb5673151f478ebdfa197a5 |
| SHA512 | 02348e663f215ff6cf37cccea7ea4da3c53362aa75a1a0a88279b9a0acbf60deb30829b47ff7ce1ae97c43ca52b7e09ca90cbb621fee2da1a0ddcc65677c0d67 |
memory/1528-8-0x000000007298E000-0x000000007298F000-memory.dmp
memory/1528-9-0x0000000001150000-0x0000000001158000-memory.dmp
\Users\Admin\AppData\Roaming\38.exe
| MD5 | ca43f43bd60696a071914f7d56dfb170 |
| SHA1 | 0395c64a4cfc0c5b5e4f0213a2947e8971db0646 |
| SHA256 | c589837b7c914750d50c96183a6133940d0770d0a690c81b7594dafad925b8a9 |
| SHA512 | 5a476ade3e31ecdd01544111912bdf3cc43883c32703b72d698420c1ee7ec839c01cb7eadc7bfdc2f94ea7b4caac2e2a4e3f3ee088f1a1674a242d4db8d4a3be |
\Users\Admin\AppData\Roaming\41.exe
| MD5 | d3d07dbbf681e20fb2c58e5a8916a78e |
| SHA1 | 1964d2e5081b7a711fd6de9c48beada5adfe0daf |
| SHA256 | 4911bbaedcca532e468702601a467444f6bfcf65d940bed75fcaaca9d06c8150 |
| SHA512 | 42b2d6cdb522cd374f2b688ac47c62faae5416790a70930088dee5a2fa21561372bbef0bcd2c689b23f01f85347fd5b3c69d3d35193c4c9d57a6fb4251149951 |
memory/2664-27-0x0000000000040000-0x000000000004A000-memory.dmp
memory/2664-28-0x0000000000200000-0x0000000000208000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 795ed47bc19ab0411368e5dc7aca6e07 |
| SHA1 | 850985565706675ee301d8566b2d53f67f262bf7 |
| SHA256 | 5f34e93c4e86b48cf1a799e6365430cd9fc3f995725d643e29ef5789272aa900 |
| SHA512 | 94509161822c07b48c876d2228e0e1b52aea7dc57b536c359de25f42a5ece221a6fc283d78ccfae2a85173099be48adc31f7ada74c620eb1e69ae07a09fc1341 |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | e885c9465536f062fc721721fa06e903 |
| SHA1 | 2106458467b24cff9b88d850c0a3c89898975c76 |
| SHA256 | 968c86c0f6456a124ebfdd7d2ea4e4ec398148522cdb38246d0f41bc6002e981 |
| SHA512 | e6ea1af4dbc774323308c6e45ae3a9870e7e3f79ab660f6c3acf77fa4615cd20919fe4c048c5c28d24a7f70e73f0da468b86570589aa605552ebf7f743823aaa |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip
| MD5 | 8075ea50b2ab44f7c966326454fd36f9 |
| SHA1 | 3779fd6f91b063c1848d5ad5f1565d19ad8dfecd |
| SHA256 | 5fa303944c7f3ebcae8096c0e19155ae275280af73b88e348d9555ae306c8afa |
| SHA512 | 787814480f4d431c5f9939af50bfd33db26818f04b1c5e925d7382d5e9f5acfc661be6ad07eeae80a66541a8edb48d99e5087bb2d3df0f64d3f797deb1f24a58 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip
| MD5 | e10377d5147815c70d80dc19156aaa53 |
| SHA1 | 4ea7ab5c249e008960bb0f676de22b3e56e4a0af |
| SHA256 | a011c602ed35528769f63a473c195a5f69d9bf7611d8497da57a8f0d32f29559 |
| SHA512 | 448cb4731d60a620680e75e45a0ac17a77f945c2947a939d762958635bb7649b02d1b6754508c020311d23f1646abb73ee428f6e1507d828cf6287442d5c7c27 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
| MD5 | 5df06ab0b8c35e23bfea346625eed65b |
| SHA1 | 83de80af6bf3e9cf84c9c8f0d27ad264779505e7 |
| SHA256 | e2a520a96e5f2f67c5a7ece9b3593ee7c584aa626cfbc7c592701e89b22c9995 |
| SHA512 | f396a039d4d145697b08d2834db16b57225c1caa1f1bd6489fc54847c53c29922846558c82085625a0e8e61d60c2a999e902da14921d3309262d9b005b7623ff |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
| MD5 | a2fcdf069cb33a227138c7c51c47d310 |
| SHA1 | 6fdd15e4ff504cf31244b69db19d997f7fe982f2 |
| SHA256 | 0f1d600027dcbc1f9a1257214f84b50b79ab3cd2c5cc32710bbaaa73534fcca7 |
| SHA512 | 70fd3fc47af77c3766970d7e1bbf0e323d2d75fdff568a325f7610a238774f46e91d1633b6c6805a410e3b5ac8d298e5ae3a15850e66ae64c8b1b6fa27a114f7 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | b38062631e88c006d9207a2cab53c38f |
| SHA1 | 33032c590ddb951da06d66bf72dd094435c4f9dd |
| SHA256 | c0c5aaa8727554a536d4b94d859cf68995accf8900809503c0dbe7676acc1a03 |
| SHA512 | 1f75f14348840089f312ddeb724149dab3b26fe5c001940a3f24961063882d1947621495ec63712927e1f9eab9cb3648af64538e98fb54f117f1a67af604eb92 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 1d2bfb868c2435a6d4b8ce54f176f53a |
| SHA1 | d167f754a0dbee66ded83ba45976f25cd15675a1 |
| SHA256 | 63638a0f50d91de6481e4935a0756a7e7580c77eefd951876856b0ca12014f4d |
| SHA512 | fc02bd564314c77f88c5ce500f29630b252928a281e9cb27358e8654f2f05ccb18cd2047a3956dffeeb548679e8d0d3531fa7ac8985d736adcee3dd28161ad63 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | f35f55dcc36764bd3f8c7ee78c8c6183 |
| SHA1 | c14a73b93477a432164feb7c88f3e0a7945ee79a |
| SHA256 | 7b5720d4674c6add26e32b71f5de0b756146b77cae776b228950bce8fca82d34 |
| SHA512 | 73530110dcb560bf961eb69a0296b459717189cd45f98dfa7394888c41c4a1f0529e5524634ade6e35a42e0a173a77c91dbf41538b399c7bec1644c2db2e1a9d |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 74ea54b446d40ac1b028f6fd1c328d82 |
| SHA1 | 237fd55ad9f283d63c2b5990fc75fae3c6798db2 |
| SHA256 | 83b5d02c807446a860dcca710bdf8c2b5dd85c1603f6fca58665a39ab22d94ff |
| SHA512 | 69281509d8f45ddd9a7751557e069f712f0793cf048c207e180033b3fb77dbf388d7a65fac347ee6cbdc11441d3f4fff693c1c9d0e3b98537cb2e7b23d6231a5 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 95b8bfebc75827e00d4166e13021e71b |
| SHA1 | e06f225bc0ff7fc18424fff88281b660a095bd23 |
| SHA256 | 075d77843575cfb5a0be0476059aa55ec88069aeab24802d9ba875c35ea34ac8 |
| SHA512 | 9e4a947efc2134d936b5dfd2ac52880f93ab078f9f02ba174c751a08a604b33c61453234118700cc2ca0d2c05c6171fe3c800d89291ac4ae25ea1fb994b713e9 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | c65fb7a8a19cdf11ea75d3806eab28b6 |
| SHA1 | cae2ed51df810884d6b6f2978b3e36bcffa7a103 |
| SHA256 | 6fe4f7993b5e22feae40b277d7b768f1609c77bfe24beaef8d1a4d96f35accdf |
| SHA512 | 9867531acf3399b497da3d14c50fe6e926620c213650487c6c2583f2848e6f5ae27d6bd09fca6889cea66ef1e8eca370cb26710aba1eab179955d92183b03c8e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | b4d0e4e5e65dae0261e6389dacfc1af1 |
| SHA1 | 98a96294a6fa43d2ed037b377b32d3ee876da81a |
| SHA256 | c1978fb5525c7e32d5eaba3feceedfe4e28ef8731c3c8d2f36bfdf1c76fb6265 |
| SHA512 | fdb5a26e1944a26808ecdb8856bc11f873377ecfa97b55d350685b4c094d6428697afdd4e460cee9641cef9d726ef4e2b50d5018e7c37866c0b7efff86882ce1 |
memory/2664-139-0x0000000007070000-0x0000000007132000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp986A.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 5d1a6f357a7a081d2079d3b7148f8f7d |
| SHA1 | 643857cb7a85eaa18e2aea5d7569ef611a93b38c |
| SHA256 | 3018b37625f9ea89476c64bf7739fec36601c650484be99e3358df94c1d8d430 |
| SHA512 | c4bb125f1f3e239b6f8f68f380c10b689ca7dcc590047608a40421cf8d7cddfafc38a1ddbcaba466b11f738a2dab2946feb2818f50049211b0ebfe320a4e5ab0 |
memory/2820-238-0x000000001B250000-0x000000001B532000-memory.dmp
memory/2820-239-0x0000000001D30000-0x0000000001D38000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\215265b546cda95a5fd368c4191fdf43_5349ca0f-aec5-405f-83e0-aa034653cb76
| MD5 | 0158fe9cead91d1b027b795984737614 |
| SHA1 | b41a11f909a7bdf1115088790a5680ac4e23031b |
| SHA256 | 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a |
| SHA512 | c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676 |
memory/1480-263-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1480-265-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1480-262-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1480-260-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1480-261-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1480-268-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1480-267-0x0000000076E10000-0x0000000076F2F000-memory.dmp
memory/1480-266-0x0000000077030000-0x00000000771D9000-memory.dmp
memory/416-274-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/648-427-0x0000000001BB0000-0x0000000001BDB000-memory.dmp
memory/1464-415-0x0000000001E10000-0x0000000001E3B000-memory.dmp
memory/416-273-0x0000000000180000-0x00000000001A4000-memory.dmp
memory/416-271-0x0000000000180000-0x00000000001A4000-memory.dmp
memory/648-429-0x0000000037070000-0x0000000037080000-memory.dmp
memory/648-428-0x000007FEBF1C0000-0x000007FEBF1D0000-memory.dmp
memory/1416-425-0x0000000037070000-0x0000000037080000-memory.dmp
memory/1416-424-0x000007FEBF1C0000-0x000007FEBF1D0000-memory.dmp
memory/1416-423-0x00000000008C0000-0x00000000008EB000-memory.dmp
memory/692-421-0x0000000037070000-0x0000000037080000-memory.dmp
memory/692-420-0x000007FEBF1C0000-0x000007FEBF1D0000-memory.dmp
memory/692-419-0x00000000007E0000-0x000000000080B000-memory.dmp
memory/1464-417-0x0000000037070000-0x0000000037080000-memory.dmp
memory/1464-416-0x000007FEBF1C0000-0x000007FEBF1D0000-memory.dmp
memory/588-562-0x00000000FF410000-0x00000000FF467000-memory.dmp
memory/2088-568-0x00000000009A0000-0x00000000009A8000-memory.dmp
memory/2088-567-0x0000000019D00000-0x0000000019FE2000-memory.dmp
memory/588-587-0x00000000FF410000-0x00000000FF467000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\76b53b3ec448f7ccdda2063b15d2bfc3_5349ca0f-aec5-405f-83e0-aa034653cb76
| MD5 | bbc8da7d36df3f91c460984c2abe8419 |
| SHA1 | 9a247c3d293022fde4f3abc8b56259275c4ef97c |
| SHA256 | 0399ccf5e780949a63400736a46cce7d1879903d0f45c6b7d194c960ba4dddc2 |
| SHA512 | facbe33baa35fccf8072fe207a4d5eda2a64c4ed067c8eecb23e49cb003747be4c3772cb4ae2dfb87f91aa711b9a8371a2e0d76dc40830e275098172318d7cb4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 19:42
Reported
2024-07-05 19:45
Platform
win10v2004-20240704-en
Max time kernel
150s
Max time network
107s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\38.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Setup.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1656 set thread context of 3208 | N/A | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | C:\Windows\system32\dialer.exe |
| PID 4712 set thread context of 4176 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 4712 set thread context of 3824 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
| PID 4712 set thread context of 5084 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\dialer.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\ABC.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720208647" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\dialer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\41.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\41.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe
"C:\Users\Admin\AppData\Local\Temp\dc77bc57b387b7e3533138e903622509cea2f2f5564b519c57bfaab35bf773c6.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Roaming\ABC.exe
"C:\Users\Admin\AppData\Roaming\ABC.exe"
C:\Users\Admin\AppData\Roaming\38.exe
"C:\Users\Admin\AppData\Roaming\38.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Roaming\41.exe
"C:\Users\Admin\AppData\Roaming\41.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Roaming\ABC.exe
C:\Users\Admin\AppData\Roaming\ABC.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4664 -ip 4664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1020
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p64872182929326299261407120071 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_11.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_10.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | de.zephyr.herominers.com | udp |
| DE | 167.235.223.40:1123 | de.zephyr.herominers.com | tcp |
| US | 8.8.8.8:53 | 40.223.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| RU | 89.23.99.145:187 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.99.23.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\ABC.exe
| MD5 | 2808310786effc87a4359c778a73a7ee |
| SHA1 | 525f278678ad73a34c368f0afc4558ed0454f076 |
| SHA256 | 33d9753ee9b3920352b743d72adfd62c969ab0619eb5673151f478ebdfa197a5 |
| SHA512 | 02348e663f215ff6cf37cccea7ea4da3c53362aa75a1a0a88279b9a0acbf60deb30829b47ff7ce1ae97c43ca52b7e09ca90cbb621fee2da1a0ddcc65677c0d67 |
memory/404-60-0x00000000725CE000-0x00000000725CF000-memory.dmp
memory/404-61-0x0000000000F70000-0x0000000000F78000-memory.dmp
memory/404-62-0x0000000005910000-0x0000000005976000-memory.dmp
C:\Users\Admin\AppData\Roaming\38.exe
| MD5 | ca43f43bd60696a071914f7d56dfb170 |
| SHA1 | 0395c64a4cfc0c5b5e4f0213a2947e8971db0646 |
| SHA256 | c589837b7c914750d50c96183a6133940d0770d0a690c81b7594dafad925b8a9 |
| SHA512 | 5a476ade3e31ecdd01544111912bdf3cc43883c32703b72d698420c1ee7ec839c01cb7eadc7bfdc2f94ea7b4caac2e2a4e3f3ee088f1a1674a242d4db8d4a3be |
C:\Users\Admin\AppData\Roaming\41.exe
| MD5 | d3d07dbbf681e20fb2c58e5a8916a78e |
| SHA1 | 1964d2e5081b7a711fd6de9c48beada5adfe0daf |
| SHA256 | 4911bbaedcca532e468702601a467444f6bfcf65d940bed75fcaaca9d06c8150 |
| SHA512 | 42b2d6cdb522cd374f2b688ac47c62faae5416790a70930088dee5a2fa21561372bbef0bcd2c689b23f01f85347fd5b3c69d3d35193c4c9d57a6fb4251149951 |
memory/3144-184-0x0000000000010000-0x000000000001A000-memory.dmp
memory/3144-185-0x00000000725C0000-0x0000000072D70000-memory.dmp
memory/3144-186-0x0000000000660000-0x0000000000668000-memory.dmp
memory/3144-187-0x0000000007340000-0x00000000078E4000-memory.dmp
memory/3144-188-0x0000000006E30000-0x0000000006EC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 795ed47bc19ab0411368e5dc7aca6e07 |
| SHA1 | 850985565706675ee301d8566b2d53f67f262bf7 |
| SHA256 | 5f34e93c4e86b48cf1a799e6365430cd9fc3f995725d643e29ef5789272aa900 |
| SHA512 | 94509161822c07b48c876d2228e0e1b52aea7dc57b536c359de25f42a5ece221a6fc283d78ccfae2a85173099be48adc31f7ada74c620eb1e69ae07a09fc1341 |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | e885c9465536f062fc721721fa06e903 |
| SHA1 | 2106458467b24cff9b88d850c0a3c89898975c76 |
| SHA256 | 968c86c0f6456a124ebfdd7d2ea4e4ec398148522cdb38246d0f41bc6002e981 |
| SHA512 | e6ea1af4dbc774323308c6e45ae3a9870e7e3f79ab660f6c3acf77fa4615cd20919fe4c048c5c28d24a7f70e73f0da468b86570589aa605552ebf7f743823aaa |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip
| MD5 | 8075ea50b2ab44f7c966326454fd36f9 |
| SHA1 | 3779fd6f91b063c1848d5ad5f1565d19ad8dfecd |
| SHA256 | 5fa303944c7f3ebcae8096c0e19155ae275280af73b88e348d9555ae306c8afa |
| SHA512 | 787814480f4d431c5f9939af50bfd33db26818f04b1c5e925d7382d5e9f5acfc661be6ad07eeae80a66541a8edb48d99e5087bb2d3df0f64d3f797deb1f24a58 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip
| MD5 | e10377d5147815c70d80dc19156aaa53 |
| SHA1 | 4ea7ab5c249e008960bb0f676de22b3e56e4a0af |
| SHA256 | a011c602ed35528769f63a473c195a5f69d9bf7611d8497da57a8f0d32f29559 |
| SHA512 | 448cb4731d60a620680e75e45a0ac17a77f945c2947a939d762958635bb7649b02d1b6754508c020311d23f1646abb73ee428f6e1507d828cf6287442d5c7c27 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
| MD5 | 5df06ab0b8c35e23bfea346625eed65b |
| SHA1 | 83de80af6bf3e9cf84c9c8f0d27ad264779505e7 |
| SHA256 | e2a520a96e5f2f67c5a7ece9b3593ee7c584aa626cfbc7c592701e89b22c9995 |
| SHA512 | f396a039d4d145697b08d2834db16b57225c1caa1f1bd6489fc54847c53c29922846558c82085625a0e8e61d60c2a999e902da14921d3309262d9b005b7623ff |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
| MD5 | a2fcdf069cb33a227138c7c51c47d310 |
| SHA1 | 6fdd15e4ff504cf31244b69db19d997f7fe982f2 |
| SHA256 | 0f1d600027dcbc1f9a1257214f84b50b79ab3cd2c5cc32710bbaaa73534fcca7 |
| SHA512 | 70fd3fc47af77c3766970d7e1bbf0e323d2d75fdff568a325f7610a238774f46e91d1633b6c6805a410e3b5ac8d298e5ae3a15850e66ae64c8b1b6fa27a114f7 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | b38062631e88c006d9207a2cab53c38f |
| SHA1 | 33032c590ddb951da06d66bf72dd094435c4f9dd |
| SHA256 | c0c5aaa8727554a536d4b94d859cf68995accf8900809503c0dbe7676acc1a03 |
| SHA512 | 1f75f14348840089f312ddeb724149dab3b26fe5c001940a3f24961063882d1947621495ec63712927e1f9eab9cb3648af64538e98fb54f117f1a67af604eb92 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 1d2bfb868c2435a6d4b8ce54f176f53a |
| SHA1 | d167f754a0dbee66ded83ba45976f25cd15675a1 |
| SHA256 | 63638a0f50d91de6481e4935a0756a7e7580c77eefd951876856b0ca12014f4d |
| SHA512 | fc02bd564314c77f88c5ce500f29630b252928a281e9cb27358e8654f2f05ccb18cd2047a3956dffeeb548679e8d0d3531fa7ac8985d736adcee3dd28161ad63 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | f35f55dcc36764bd3f8c7ee78c8c6183 |
| SHA1 | c14a73b93477a432164feb7c88f3e0a7945ee79a |
| SHA256 | 7b5720d4674c6add26e32b71f5de0b756146b77cae776b228950bce8fca82d34 |
| SHA512 | 73530110dcb560bf961eb69a0296b459717189cd45f98dfa7394888c41c4a1f0529e5524634ade6e35a42e0a173a77c91dbf41538b399c7bec1644c2db2e1a9d |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 74ea54b446d40ac1b028f6fd1c328d82 |
| SHA1 | 237fd55ad9f283d63c2b5990fc75fae3c6798db2 |
| SHA256 | 83b5d02c807446a860dcca710bdf8c2b5dd85c1603f6fca58665a39ab22d94ff |
| SHA512 | 69281509d8f45ddd9a7751557e069f712f0793cf048c207e180033b3fb77dbf388d7a65fac347ee6cbdc11441d3f4fff693c1c9d0e3b98537cb2e7b23d6231a5 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 95b8bfebc75827e00d4166e13021e71b |
| SHA1 | e06f225bc0ff7fc18424fff88281b660a095bd23 |
| SHA256 | 075d77843575cfb5a0be0476059aa55ec88069aeab24802d9ba875c35ea34ac8 |
| SHA512 | 9e4a947efc2134d936b5dfd2ac52880f93ab078f9f02ba174c751a08a604b33c61453234118700cc2ca0d2c05c6171fe3c800d89291ac4ae25ea1fb994b713e9 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | c65fb7a8a19cdf11ea75d3806eab28b6 |
| SHA1 | cae2ed51df810884d6b6f2978b3e36bcffa7a103 |
| SHA256 | 6fe4f7993b5e22feae40b277d7b768f1609c77bfe24beaef8d1a4d96f35accdf |
| SHA512 | 9867531acf3399b497da3d14c50fe6e926620c213650487c6c2583f2848e6f5ae27d6bd09fca6889cea66ef1e8eca370cb26710aba1eab179955d92183b03c8e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | b4d0e4e5e65dae0261e6389dacfc1af1 |
| SHA1 | 98a96294a6fa43d2ed037b377b32d3ee876da81a |
| SHA256 | c1978fb5525c7e32d5eaba3feceedfe4e28ef8731c3c8d2f36bfdf1c76fb6265 |
| SHA512 | fdb5a26e1944a26808ecdb8856bc11f873377ecfa97b55d350685b4c094d6428697afdd4e460cee9641cef9d726ef4e2b50d5018e7c37866c0b7efff86882ce1 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | a9b2ea6a4101270c84eb55203ec2c9ce |
| SHA1 | 17e1f16fb2e6585c6113cebe376b76fffd7efebc |
| SHA256 | 9d768485e32ce6480248b5829bd0ea436547ea67312290a96306c8941e73d5b4 |
| SHA512 | 333d27dc38006b96e03bdf9dc92619b8fba75f63574f27924555e4e61e689dd2abfb5f19ab75c9c830cb21ff13b64594fe76e01d348895d177f2d7b9b8ea3fdb |
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe
| MD5 | 9903ce550118ee2389f78891423ea887 |
| SHA1 | f4c28f83efce975439f3711d34662587da4f4064 |
| SHA256 | 932928c1c0d4302eefe3b53f86158219b4aa3ca5285c9faf14d0f0c684bdcb26 |
| SHA512 | 88ea20d8b5197d43835ea54ff0645997f53b12d68556bbb936b2347951ea3fa8d6931c917bb6ff3d9023d2ae5be1fae1e1e16da7740fd100ee9f581c88d60acb |
memory/3144-282-0x00000000725C0000-0x0000000072D70000-memory.dmp
memory/3144-283-0x00000000070D0000-0x0000000007192000-memory.dmp
memory/3144-284-0x0000000006DD0000-0x0000000006DDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC7E.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3144-301-0x0000000009DB0000-0x0000000009E26000-memory.dmp
memory/3144-304-0x0000000005F50000-0x0000000005F6E000-memory.dmp
memory/3144-308-0x00000000725C0000-0x0000000072D70000-memory.dmp
memory/1496-309-0x00000194162A0000-0x00000194162C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tp514sam.mso.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3208-322-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3208-328-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
memory/3208-329-0x00007FF94B610000-0x00007FF94B6CE000-memory.dmp
memory/3208-325-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3208-324-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3208-323-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3208-327-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3208-331-0x0000000140000000-0x000000014002B000-memory.dmp
memory/676-347-0x00007FF90D310000-0x00007FF90D320000-memory.dmp
memory/616-335-0x00000255D9B40000-0x00000255D9B64000-memory.dmp
memory/676-346-0x0000021EE9A90000-0x0000021EE9ABB000-memory.dmp
memory/952-371-0x00007FF90D310000-0x00007FF90D320000-memory.dmp
memory/952-370-0x00000226011A0000-0x00000226011CB000-memory.dmp
memory/380-344-0x00007FF90D310000-0x00007FF90D320000-memory.dmp
memory/380-343-0x000001F466CF0000-0x000001F466D1B000-memory.dmp
memory/616-338-0x00007FF90D310000-0x00007FF90D320000-memory.dmp
memory/616-337-0x00000255D9B70000-0x00000255D9B9B000-memory.dmp
memory/396-628-0x000002B0803A0000-0x000002B0803BC000-memory.dmp
memory/396-629-0x000002B0803C0000-0x000002B080475000-memory.dmp
memory/396-630-0x000002B0E58A0000-0x000002B0E58AA000-memory.dmp
memory/396-631-0x000002B0FFFA0000-0x000002B0FFFBC000-memory.dmp
memory/396-632-0x000002B0E58B0000-0x000002B0E58BA000-memory.dmp
memory/396-633-0x000002B0FFFC0000-0x000002B0FFFDA000-memory.dmp
memory/396-634-0x000002B0805C0000-0x000002B0805C8000-memory.dmp
memory/396-635-0x000002B0805D0000-0x000002B0805D6000-memory.dmp
memory/396-636-0x000002B0FFF80000-0x000002B0FFF8A000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 2d29fd3ae57f422e2b2121141dc82253 |
| SHA1 | c2464c857779c0ab4f5e766f5028fcc651a6c6b7 |
| SHA256 | 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4 |
| SHA512 | 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-05 19:42
Reported
2024-07-05 19:42
Platform
win10v2004-20240704-en