Analysis Overview
SHA256
19296eb9830d79b73295a7126dca332bbeb702b9cf4a2f806f89f0962af721de
Threat Level: Shows suspicious behavior
The file PAIcom.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Legitimate hosting services abused for malware hosting/C2
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 06:36
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
160s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 620 wrote to memory of 1784 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 620 wrote to memory of 1784 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\online.bat"
C:\Windows\explorer.exe
explorer "steam://friends/status/online"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win7-20240708-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe"
Network
Files
memory/2624-0-0x0000000073E6E000-0x0000000073E6F000-memory.dmp
memory/2624-1-0x00000000009C0000-0x00000000015F0000-memory.dmp
memory/2624-2-0x0000000073E60000-0x000000007454E000-memory.dmp
memory/2624-3-0x0000000073E6E000-0x0000000073E6F000-memory.dmp
memory/2624-4-0x0000000073E60000-0x000000007454E000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
165s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 3820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 2732 wrote to memory of 3820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam.bat"
C:\Windows\explorer.exe
explorer "steam://nav/games"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
162s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| GB | 92.123.142.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 185.199.108.133:443 | gist.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2412-0-0x000000007501E000-0x000000007501F000-memory.dmp
memory/2412-1-0x00000000004C0000-0x0000000001F32000-memory.dmp
memory/2412-2-0x0000000006E70000-0x0000000007414000-memory.dmp
memory/2412-3-0x0000000006960000-0x00000000069F2000-memory.dmp
memory/2412-4-0x0000000006AB0000-0x0000000006B52000-memory.dmp
memory/2412-6-0x0000000075010000-0x00000000757C0000-memory.dmp
memory/2412-5-0x0000000006AA0000-0x0000000006AAA000-memory.dmp
memory/2412-7-0x0000000007680000-0x000000000771C000-memory.dmp
memory/2412-8-0x0000000007610000-0x000000000763E000-memory.dmp
memory/2412-15-0x0000000075010000-0x00000000757C0000-memory.dmp
memory/2412-16-0x000000007501E000-0x000000007501F000-memory.dmp
memory/2412-17-0x0000000075010000-0x00000000757C0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240729-en
Max time kernel
3s
Max time network
19s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 2424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 1972 wrote to memory of 2424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 1972 wrote to memory of 2424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\chrome.bat"
C:\Windows\system32\taskkill.exe
taskkill /im chrome.exe
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
164s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\skins.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2236-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp
memory/2236-1-0x0000000000CC0000-0x00000000018F0000-memory.dmp
memory/2236-2-0x0000000006790000-0x0000000006D34000-memory.dmp
memory/2236-3-0x00000000062C0000-0x0000000006352000-memory.dmp
memory/2236-4-0x0000000006380000-0x000000000638A000-memory.dmp
memory/2236-5-0x0000000074DF0000-0x00000000755A0000-memory.dmp
memory/2236-6-0x0000000074DFE000-0x0000000074DFF000-memory.dmp
memory/2236-7-0x0000000074DF0000-0x00000000755A0000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
165s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1568 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 1568 wrote to memory of 2232 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 1568 wrote to memory of 736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 1568 wrote to memory of 736 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\smug.bat"
C:\Windows\system32\taskkill.exe
taskkill /im 720.exe
C:\Windows\system32\taskkill.exe
taskkill /im 1080.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240729-en
Max time kernel
117s
Max time network
134s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2196 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2196 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2196 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2196 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Commands.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1208
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 185.199.110.133:443 | gist.githubusercontent.com | tcp |
Files
memory/2196-0-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/2196-1-0x0000000000E20000-0x0000000002892000-memory.dmp
memory/2196-2-0x0000000000D00000-0x0000000000DA2000-memory.dmp
memory/2196-3-0x00000000743E0000-0x0000000074ACE000-memory.dmp
memory/2196-4-0x0000000000460000-0x000000000048E000-memory.dmp
memory/2196-5-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/2196-6-0x00000000743E0000-0x0000000074ACE000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
162s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4376 wrote to memory of 1836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 4376 wrote to memory of 1836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 4376 wrote to memory of 4820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 4376 wrote to memory of 4820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 4376 wrote to memory of 4004 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 4376 wrote to memory of 4004 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\commands.bat"
C:\Windows\system32\taskkill.exe
taskkill /im Commands.exe
C:\Windows\system32\taskkill.exe
taskkill /im Commands2.exe
C:\Windows\system32\taskkill.exe
taskkill /im Settings.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240704-en
Max time kernel
5s
Max time network
17s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2748 wrote to memory of 1788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 2748 wrote to memory of 1788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 2748 wrote to memory of 1788 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\exit.bat"
C:\Windows\system32\taskkill.exe
taskkill /im PAIcom.exe
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
167s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/4160-0-0x000000007441E000-0x000000007441F000-memory.dmp
memory/4160-1-0x00000000006C0000-0x0000000000742000-memory.dmp
memory/4160-2-0x00000000075B0000-0x0000000007672000-memory.dmp
memory/4160-3-0x000000000AE60000-0x000000000B404000-memory.dmp
memory/4160-4-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/4160-5-0x000000000A8F0000-0x000000000A982000-memory.dmp
memory/4160-6-0x00000000050B0000-0x00000000050BA000-memory.dmp
memory/4160-7-0x000000007441E000-0x000000007441F000-memory.dmp
memory/4160-8-0x0000000074410000-0x0000000074BC0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240704-en
Max time kernel
3s
Max time network
28s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe"
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
167s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240704-en
Max time kernel
125s
Max time network
155s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 1800 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 1368 wrote to memory of 1800 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 1368 wrote to memory of 1800 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam2.bat"
C:\Windows\explorer.exe
explorer "steam://url/SteamIDFriendsPage"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Network
Files
memory/2992-0-0x0000000001C80000-0x0000000001C81000-memory.dmp
memory/2992-1-0x0000000001C80000-0x0000000001C81000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240704-en
Max time kernel
118s
Max time network
136s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\privileges.exe"
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240705-en
Max time kernel
121s
Max time network
137s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 588 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 588 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 588 wrote to memory of 2496 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 588 wrote to memory of 3036 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 588 wrote to memory of 3036 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 588 wrote to memory of 3036 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\smug.bat"
C:\Windows\system32\taskkill.exe
taskkill /im 720.exe
C:\Windows\system32\taskkill.exe
taskkill /im 1080.exe
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240708-en
Max time kernel
120s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Guna.UI.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240708-en
Max time kernel
121s
Max time network
140s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 185.199.110.133:443 | gist.githubusercontent.com | tcp |
Files
memory/2980-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
memory/2980-1-0x0000000000B50000-0x0000000004714000-memory.dmp
memory/2980-2-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
memory/2980-3-0x0000000017500000-0x000000001B18A000-memory.dmp
memory/2980-4-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/2980-7-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/2980-8-0x0000000074EA0000-0x000000007558E000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
162s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 185.199.110.133:443 | gist.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/1056-0-0x00000000752CE000-0x00000000752CF000-memory.dmp
memory/1056-1-0x0000000000010000-0x0000000003BD4000-memory.dmp
memory/1056-2-0x00000000752CE000-0x00000000752CF000-memory.dmp
memory/1056-3-0x00000000172F0000-0x000000001AF7A000-memory.dmp
memory/1056-4-0x000000001E730000-0x000000001ECD4000-memory.dmp
memory/1056-5-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/1056-6-0x000000001E160000-0x000000001E1F2000-memory.dmp
memory/1056-7-0x000000000C7A0000-0x000000000C7AA000-memory.dmp
memory/1056-10-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/1056-11-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/1056-12-0x00000000752C0000-0x0000000075A70000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win7-20240705-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2632 wrote to memory of 2408 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 2632 wrote to memory of 2408 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 2632 wrote to memory of 2408 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\online.bat"
C:\Windows\explorer.exe
explorer "steam://friends/status/online"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Network
Files
memory/2744-0-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2744-1-0x0000000000350000-0x0000000000351000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240708-en
Max time kernel
121s
Max time network
132s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 1764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 2368 wrote to memory of 1764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 2368 wrote to memory of 1764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam.bat"
C:\Windows\explorer.exe
explorer "steam://nav/games"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Network
Files
memory/2452-0-0x00000000020B0000-0x00000000020B1000-memory.dmp
memory/2452-1-0x00000000020B0000-0x00000000020B1000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win7-20240705-en
Max time kernel
119s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe"
Network
Files
memory/3040-0-0x00000000747FE000-0x00000000747FF000-memory.dmp
memory/3040-1-0x0000000000080000-0x00000000000F0000-memory.dmp
memory/3040-2-0x00000000747F0000-0x0000000074EDE000-memory.dmp
memory/3040-3-0x00000000747F0000-0x0000000074EDE000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
155s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mod-helper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2516-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp
memory/2516-1-0x0000000000C00000-0x0000000000C70000-memory.dmp
memory/2516-2-0x0000000005C50000-0x00000000061F4000-memory.dmp
memory/2516-3-0x00000000056A0000-0x0000000005732000-memory.dmp
memory/2516-4-0x0000000005660000-0x000000000566A000-memory.dmp
memory/2516-5-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/2516-6-0x0000000074F2E000-0x0000000074F2F000-memory.dmp
memory/2516-7-0x0000000074F20000-0x00000000756D0000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
171s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 2568 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 2008 wrote to memory of 2568 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\steam2.bat"
C:\Windows\explorer.exe
explorer "steam://url/SteamIDFriendsPage"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win7-20240708-en
Max time kernel
120s
Max time network
134s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\PAIcom-Debug.exe"
Network
Files
memory/2860-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp
memory/2860-1-0x0000000000AC0000-0x0000000000B42000-memory.dmp
memory/2860-2-0x0000000006F50000-0x0000000007012000-memory.dmp
memory/2860-3-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/2860-4-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/2860-5-0x0000000074CBE000-0x0000000074CBF000-memory.dmp
memory/2860-6-0x0000000074CB0000-0x000000007539E000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win7-20240704-en
Max time kernel
121s
Max time network
140s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 2584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3068 wrote to memory of 2584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3068 wrote to memory of 2584 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3068 wrote to memory of 1092 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3068 wrote to memory of 1092 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3068 wrote to memory of 1092 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3068 wrote to memory of 772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3068 wrote to memory of 772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 3068 wrote to memory of 772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\commands.bat"
C:\Windows\system32\taskkill.exe
taskkill /im Commands.exe
C:\Windows\system32\taskkill.exe
taskkill /im Commands2.exe
C:\Windows\system32\taskkill.exe
taskkill /im Settings.exe
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win7-20240708-en
Max time kernel
60s
Max time network
17s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 1200 wrote to memory of 404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 1200 wrote to memory of 404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\invisible.bat"
C:\Windows\explorer.exe
explorer "steam://friends/status/invisible"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Network
Files
memory/2544-0-0x0000000000450000-0x0000000000451000-memory.dmp
memory/2544-1-0x0000000000450000-0x0000000000451000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
162s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2824 wrote to memory of 4984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
| PID 2824 wrote to memory of 4984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\explorer.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\invisible.bat"
C:\Windows\explorer.exe
explorer "steam://friends/status/invisible"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\Guna.UI.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:41
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
162s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 448 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 2008 wrote to memory of 448 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\chrome.bat"
C:\Windows\system32\taskkill.exe
taskkill /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
161s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4288 wrote to memory of 4616 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
| PID 4288 wrote to memory of 4616 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\taskkill.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\exit.bat"
C:\Windows\system32\taskkill.exe
taskkill /im PAIcom.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-29 06:34
Reported
2024-08-29 06:40
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
166s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe
"C:\Users\Admin\AppData\Local\Temp\PAIcom\PAIcom\mute.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |