Malware Analysis Report

2024-11-13 16:19

Sample ID 240829-hb9erszenq
Target PAIcom.rar
SHA256 19296eb9830d79b73295a7126dca332bbeb702b9cf4a2f806f89f0962af721de
Tags
discovery agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

19296eb9830d79b73295a7126dca332bbeb702b9cf4a2f806f89f0962af721de

Threat Level: Shows suspicious behavior

The file PAIcom.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery agilenet

Obfuscated with Agile.Net obfuscator

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 06:36

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

160s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\online.bat"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 620 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\online.bat"

C:\Windows\explorer.exe

explorer "steam://friends/status/online"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win7-20240708-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe"

Network

N/A

Files

memory/2624-0-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

memory/2624-1-0x00000000009C0000-0x00000000015F0000-memory.dmp

memory/2624-2-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2624-3-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

memory/2624-4-0x0000000073E60000-0x000000007454E000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

165s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam.bat"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 3820 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2732 wrote to memory of 3820 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam.bat"

C:\Windows\explorer.exe

explorer "steam://nav/games"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 92.123.142.131:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 131.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 gist.githubusercontent.com udp
US 185.199.108.133:443 gist.githubusercontent.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2412-0-0x000000007501E000-0x000000007501F000-memory.dmp

memory/2412-1-0x00000000004C0000-0x0000000001F32000-memory.dmp

memory/2412-2-0x0000000006E70000-0x0000000007414000-memory.dmp

memory/2412-3-0x0000000006960000-0x00000000069F2000-memory.dmp

memory/2412-4-0x0000000006AB0000-0x0000000006B52000-memory.dmp

memory/2412-6-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2412-5-0x0000000006AA0000-0x0000000006AAA000-memory.dmp

memory/2412-7-0x0000000007680000-0x000000000771C000-memory.dmp

memory/2412-8-0x0000000007610000-0x000000000763E000-memory.dmp

memory/2412-15-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/2412-16-0x000000007501E000-0x000000007501F000-memory.dmp

memory/2412-17-0x0000000075010000-0x00000000757C0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240729-en

Max time kernel

3s

Max time network

19s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\chrome.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1972 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\chrome.bat"

C:\Windows\system32\taskkill.exe

taskkill /im chrome.exe

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2236-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

memory/2236-1-0x0000000000CC0000-0x00000000018F0000-memory.dmp

memory/2236-2-0x0000000006790000-0x0000000006D34000-memory.dmp

memory/2236-3-0x00000000062C0000-0x0000000006352000-memory.dmp

memory/2236-4-0x0000000006380000-0x000000000638A000-memory.dmp

memory/2236-5-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/2236-6-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

memory/2236-7-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

165s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\smug.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1568 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1568 wrote to memory of 736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1568 wrote to memory of 736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\smug.bat"

C:\Windows\system32\taskkill.exe

taskkill /im 720.exe

C:\Windows\system32\taskkill.exe

taskkill /im 1080.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240729-en

Max time kernel

117s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1208

Network

Country Destination Domain Proto
US 8.8.8.8:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp

Files

memory/2196-0-0x00000000743EE000-0x00000000743EF000-memory.dmp

memory/2196-1-0x0000000000E20000-0x0000000002892000-memory.dmp

memory/2196-2-0x0000000000D00000-0x0000000000DA2000-memory.dmp

memory/2196-3-0x00000000743E0000-0x0000000074ACE000-memory.dmp

memory/2196-4-0x0000000000460000-0x000000000048E000-memory.dmp

memory/2196-5-0x00000000743EE000-0x00000000743EF000-memory.dmp

memory/2196-6-0x00000000743E0000-0x0000000074ACE000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

162s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\commands.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4376 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4376 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4376 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4376 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4376 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\commands.bat"

C:\Windows\system32\taskkill.exe

taskkill /im Commands.exe

C:\Windows\system32\taskkill.exe

taskkill /im Commands2.exe

C:\Windows\system32\taskkill.exe

taskkill /im Settings.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240704-en

Max time kernel

5s

Max time network

17s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\exit.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2748 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2748 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\exit.bat"

C:\Windows\system32\taskkill.exe

taskkill /im PAIcom.exe

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4160-0-0x000000007441E000-0x000000007441F000-memory.dmp

memory/4160-1-0x00000000006C0000-0x0000000000742000-memory.dmp

memory/4160-2-0x00000000075B0000-0x0000000007672000-memory.dmp

memory/4160-3-0x000000000AE60000-0x000000000B404000-memory.dmp

memory/4160-4-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/4160-5-0x000000000A8F0000-0x000000000A982000-memory.dmp

memory/4160-6-0x00000000050B0000-0x00000000050BA000-memory.dmp

memory/4160-7-0x000000007441E000-0x000000007441F000-memory.dmp

memory/4160-8-0x0000000074410000-0x0000000074BC0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240704-en

Max time kernel

3s

Max time network

28s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240704-en

Max time kernel

125s

Max time network

155s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam2.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1368 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1368 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam2.bat"

C:\Windows\explorer.exe

explorer "steam://url/SteamIDFriendsPage"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

Network

N/A

Files

memory/2992-0-0x0000000001C80000-0x0000000001C81000-memory.dmp

memory/2992-1-0x0000000001C80000-0x0000000001C81000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240704-en

Max time kernel

118s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240705-en

Max time kernel

121s

Max time network

137s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\smug.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 588 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 588 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 588 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 588 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 588 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 588 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\smug.bat"

C:\Windows\system32\taskkill.exe

taskkill /im 720.exe

C:\Windows\system32\taskkill.exe

taskkill /im 1080.exe

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240708-en

Max time kernel

120s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Guna.UI.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Guna.UI.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240708-en

Max time kernel

121s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp

Files

memory/2980-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

memory/2980-1-0x0000000000B50000-0x0000000004714000-memory.dmp

memory/2980-2-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

memory/2980-3-0x0000000017500000-0x000000001B18A000-memory.dmp

memory/2980-4-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/2980-7-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/2980-8-0x0000000074EA0000-0x000000007558E000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/1056-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

memory/1056-1-0x0000000000010000-0x0000000003BD4000-memory.dmp

memory/1056-2-0x00000000752CE000-0x00000000752CF000-memory.dmp

memory/1056-3-0x00000000172F0000-0x000000001AF7A000-memory.dmp

memory/1056-4-0x000000001E730000-0x000000001ECD4000-memory.dmp

memory/1056-5-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/1056-6-0x000000001E160000-0x000000001E1F2000-memory.dmp

memory/1056-7-0x000000000C7A0000-0x000000000C7AA000-memory.dmp

memory/1056-10-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/1056-11-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/1056-12-0x00000000752C0000-0x0000000075A70000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win7-20240705-en

Max time kernel

120s

Max time network

131s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\online.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2632 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2632 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\online.bat"

C:\Windows\explorer.exe

explorer "steam://friends/status/online"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

Network

N/A

Files

memory/2744-0-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2744-1-0x0000000000350000-0x0000000000351000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240708-en

Max time kernel

121s

Max time network

132s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2368 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2368 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam.bat"

C:\Windows\explorer.exe

explorer "steam://nav/games"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

Network

N/A

Files

memory/2452-0-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/2452-1-0x00000000020B0000-0x00000000020B1000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win7-20240705-en

Max time kernel

119s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe"

Network

N/A

Files

memory/3040-0-0x00000000747FE000-0x00000000747FF000-memory.dmp

memory/3040-1-0x0000000000080000-0x00000000000F0000-memory.dmp

memory/3040-2-0x00000000747F0000-0x0000000074EDE000-memory.dmp

memory/3040-3-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2516-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

memory/2516-1-0x0000000000C00000-0x0000000000C70000-memory.dmp

memory/2516-2-0x0000000005C50000-0x00000000061F4000-memory.dmp

memory/2516-3-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/2516-4-0x0000000005660000-0x000000000566A000-memory.dmp

memory/2516-5-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/2516-6-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

memory/2516-7-0x0000000074F20000-0x00000000756D0000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

171s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam2.bat"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2008 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam2.bat"

C:\Windows\explorer.exe

explorer "steam://url/SteamIDFriendsPage"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win7-20240708-en

Max time kernel

120s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe"

Network

N/A

Files

memory/2860-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/2860-1-0x0000000000AC0000-0x0000000000B42000-memory.dmp

memory/2860-2-0x0000000006F50000-0x0000000007012000-memory.dmp

memory/2860-3-0x0000000074CB0000-0x000000007539E000-memory.dmp

memory/2860-4-0x0000000074CB0000-0x000000007539E000-memory.dmp

memory/2860-5-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/2860-6-0x0000000074CB0000-0x000000007539E000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win7-20240704-en

Max time kernel

121s

Max time network

140s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\commands.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3068 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3068 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3068 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3068 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3068 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3068 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3068 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3068 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\commands.bat"

C:\Windows\system32\taskkill.exe

taskkill /im Commands.exe

C:\Windows\system32\taskkill.exe

taskkill /im Commands2.exe

C:\Windows\system32\taskkill.exe

taskkill /im Settings.exe

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win7-20240708-en

Max time kernel

60s

Max time network

17s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\invisible.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1200 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1200 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\invisible.bat"

C:\Windows\explorer.exe

explorer "steam://friends/status/invisible"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

Network

N/A

Files

memory/2544-0-0x0000000000450000-0x0000000000451000-memory.dmp

memory/2544-1-0x0000000000450000-0x0000000000451000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

162s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\invisible.bat"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2824 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\invisible.bat"

C:\Windows\explorer.exe

explorer "steam://friends/status/invisible"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Guna.UI.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Guna.UI.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:41

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

162s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\chrome.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2008 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\chrome.bat"

C:\Windows\system32\taskkill.exe

taskkill /im chrome.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

161s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\exit.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4288 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\exit.bat"

C:\Windows\system32\taskkill.exe

taskkill /im PAIcom.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-29 06:34

Reported

2024-08-29 06:40

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe

"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A