Analysis Overview
SHA256
aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03
Threat Level: Known bad
The file aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in Drivers directory
Reads user/profile data of web browsers
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 15:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 15:23
Reported
2024-10-27 15:25
Platform
win7-20240903-en
Max time kernel
59s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe" | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\lmhosts.sam | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\networks | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\protocol | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\services | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antivirus.bat | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "\\C:\\Users\\Admin\\AppData\\Local\\Temp\\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe\\" | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\hxdsui.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwLatin.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\ado\msader15.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEODBCI.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\InkDiv.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OFFREL.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msadcer.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig.companion.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\oledb32r.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\hxdsui.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\OARPMANR.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msadcf.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdaora.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msdarem.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\Microsoft.Ink.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\ado\msjro.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msadcor.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\STINTL.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSDecWrp.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\MSMAPI\1033\MSMAPI32.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\WTSP61MS.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPEQU532.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipres.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\VSTARemotingServer.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\penjpn.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEDAO.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\VBAJET32.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CORE.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODTXT.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe
"C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1764-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp
memory/1764-1-0x0000000000F30000-0x0000000000F3A000-memory.dmp
memory/1764-2-0x0000000074BF0000-0x00000000752DE000-memory.dmp
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe
| MD5 | 6dbdc69771e30382aad6c4ac051f0360 |
| SHA1 | 28272da6b9b0dd3e8bcf161a18205e954b587080 |
| SHA256 | aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03 |
| SHA512 | 84008b9ca6cb241687517061c398d812cdf1874afe31c6027c6eeff99b365c7e8d044f3a898ae54feb2bc0e459eb4264a26da16f6c880ee1eac1b0accd95fbfb |
C:\Windows\System32\drivers\etc\networks
| MD5 | 8b20ea0476a4ef666ffde47cf8d160b1 |
| SHA1 | 528db63e91e4c53a7b591dae179b501ed1b567e6 |
| SHA256 | 8fd9c10a4641311464f5a6529b4d2b23c5727d44cf735b05336d63fb905c9173 |
| SHA512 | 8286bfcfe07695ba7aa5a3f75e6ae80643fc3b7c72f21246a9f3c614c1fe5eed70a438227335f0dce8a4014e0fc8975718efd13c3316314ebd28d88b065ab844 |
memory/1764-1653-0x0000000074BFE000-0x0000000074BFF000-memory.dmp
memory/1764-1898-0x0000000074BF0000-0x00000000752DE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 15:23
Reported
2024-10-27 15:25
Platform
win10v2004-20241007-en
Max time kernel
50s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe" | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\lmhosts.sam | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\networks | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\protocol | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\services | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YourMom.vbs | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSDOS32.mp3 | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSDOS323.mp3 | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antivirus.bat | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antivirus2.vbs | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antivirus3.vbs | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KasperskyScanner.hta | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YourMomIsGay.html | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "\\C:\\Users\\Admin\\AppData\\Local\\Temp\\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe\\" | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msaddsr.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msadcer.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdasc.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdatl3.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdaurl.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl64.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\dicjp.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pencht.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdaora.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaw.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\ado\msado15.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwgst.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msadco.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msdarem.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msdfmap.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF64.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\wab32.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\wab32res.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdaps.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\ado\msadomd.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msadds.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msdaorar.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaws.exe | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penjpn.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\penkor.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe
"C:\Users\Admin\AppData\Local\Temp\aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.224.241.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ia600905.us.archive.org | udp |
| US | 207.241.227.65:443 | ia600905.us.archive.org | tcp |
| US | 8.8.8.8:53 | 65.227.241.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vgmsite.com | udp |
| US | 216.227.148.10:443 | vgmsite.com | tcp |
| US | 8.8.8.8:53 | 10.148.227.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3988-0-0x00000000746FE000-0x00000000746FF000-memory.dmp
memory/3988-1-0x0000000000EC0000-0x0000000000ECA000-memory.dmp
memory/3988-2-0x0000000005F80000-0x0000000006524000-memory.dmp
memory/3988-3-0x00000000058C0000-0x0000000005952000-memory.dmp
memory/3988-4-0x0000000005970000-0x000000000597A000-memory.dmp
memory/3988-5-0x00000000746F0000-0x0000000074EA0000-memory.dmp
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\java.exe
| MD5 | 6dbdc69771e30382aad6c4ac051f0360 |
| SHA1 | 28272da6b9b0dd3e8bcf161a18205e954b587080 |
| SHA256 | aed1e927e28a0aef08dfbd3be27ae9f4d33f150e87dad18f3c288883c0f63e03 |
| SHA512 | 84008b9ca6cb241687517061c398d812cdf1874afe31c6027c6eeff99b365c7e8d044f3a898ae54feb2bc0e459eb4264a26da16f6c880ee1eac1b0accd95fbfb |
C:\Windows\System32\drivers\etc\networks
| MD5 | 8b20ea0476a4ef666ffde47cf8d160b1 |
| SHA1 | 528db63e91e4c53a7b591dae179b501ed1b567e6 |
| SHA256 | 8fd9c10a4641311464f5a6529b4d2b23c5727d44cf735b05336d63fb905c9173 |
| SHA512 | 8286bfcfe07695ba7aa5a3f75e6ae80643fc3b7c72f21246a9f3c614c1fe5eed70a438227335f0dce8a4014e0fc8975718efd13c3316314ebd28d88b065ab844 |
memory/3988-174-0x00000000746FE000-0x00000000746FF000-memory.dmp
memory/3988-459-0x00000000746F0000-0x0000000074EA0000-memory.dmp