Analysis
-
max time kernel
25s -
max time network
138s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 06:31
General
-
Target
MFC PROJECT DETAILS.exe
-
Size
406KB
-
MD5
0f594997983db981f447a2ee5d640129
-
SHA1
bf31d7905e28e9ab32348471bb7a497d82c6aff7
-
SHA256
f4ca965db7cfd5944b5d6902f391f91f7c3994973955f2af97a91ec146977cc4
-
SHA512
0ee59d76aaee737b67336c5fd142e7f175ac5dbfce33052fd2ae7ea39dae2279d9363f660529caf26ec899a81331c48a6d873b26f09376b0cdea7bfb94902f58
Score
5/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 7005 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 361 IoCs
-
Suspicious behavior: MapViewOfSection 97 IoCs
-
Suspicious use of SetThreadContext 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 92 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"5⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"7⤵
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 37⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"6⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"7⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"8⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 39⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"9⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 310⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"10⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 311⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"11⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 312⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"12⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 313⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"13⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 314⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"14⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 315⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"15⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 316⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"16⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 317⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"17⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 318⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"18⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 319⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"19⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"19⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 320⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"19⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"20⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 321⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"20⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"21⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"21⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 322⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"21⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"22⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 323⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"22⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"23⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 324⤵
-
C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"23⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"24⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"24⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/368-12-0x0000000000000000-mapping.dmp
-
memory/368-64-0x0000000000000000-mapping.dmp
-
memory/420-96-0x0000000000000000-mapping.dmp
-
memory/420-54-0x0000000000000000-mapping.dmp
-
memory/424-142-0x0000000000000000-mapping.dmp
-
memory/572-41-0x0000000000000000-mapping.dmp
-
memory/628-38-0x0000000000000000-mapping.dmp
-
memory/648-10-0x000000000041E2B0-mapping.dmp
-
memory/704-68-0x0000000000000000-mapping.dmp
-
memory/752-49-0x0000000000000000-mapping.dmp
-
memory/756-35-0x0000000000D70000-0x0000000000D7A000-memory.dmpFilesize
40KB
-
memory/756-107-0x0000000074170000-0x00000000742AC000-memory.dmpFilesize
1.2MB
-
memory/756-105-0x00000000056F0000-0x00000000057FB000-memory.dmpFilesize
1.0MB
-
memory/756-32-0x0000000000000000-mapping.dmp
-
memory/756-33-0x0000000000D70000-0x0000000000D7A000-memory.dmpFilesize
40KB
-
memory/764-164-0x000000000041E2B0-mapping.dmp
-
memory/816-11-0x0000000000000000-mapping.dmp
-
memory/820-80-0x000000000041E2B0-mapping.dmp
-
memory/820-36-0x0000000000000000-mapping.dmp
-
memory/864-30-0x000000000041E2B0-mapping.dmp
-
memory/912-90-0x0000000001330000-0x0000000001342000-memory.dmpFilesize
72KB
-
memory/912-92-0x0000000001330000-0x0000000001342000-memory.dmpFilesize
72KB
-
memory/912-89-0x0000000000000000-mapping.dmp
-
memory/980-78-0x0000000000EE0000-0x0000000000F07000-memory.dmpFilesize
156KB
-
memory/980-77-0x0000000000EE0000-0x0000000000F07000-memory.dmpFilesize
156KB
-
memory/980-76-0x0000000000000000-mapping.dmp
-
memory/1020-151-0x0000000000000000-mapping.dmp
-
memory/1020-176-0x0000000000000000-mapping.dmp
-
memory/1092-94-0x00000000011C0000-0x00000000011E7000-memory.dmpFilesize
156KB
-
memory/1092-93-0x00000000011C0000-0x00000000011E7000-memory.dmpFilesize
156KB
-
memory/1092-91-0x0000000000000000-mapping.dmp
-
memory/1156-119-0x000000000041E2B0-mapping.dmp
-
memory/1220-166-0x0000000000000000-mapping.dmp
-
memory/1232-103-0x000000000041E2B0-mapping.dmp
-
memory/1232-13-0x0000000000000000-mapping.dmp
-
memory/1328-150-0x000000000041E2B0-mapping.dmp
-
memory/1408-108-0x0000000000000000-mapping.dmp
-
memory/1424-40-0x000000000041E2B0-mapping.dmp
-
memory/1484-15-0x000000000041E2B0-mapping.dmp
-
memory/1628-128-0x000000000041E2B0-mapping.dmp
-
memory/1640-160-0x0000000000000000-mapping.dmp
-
memory/1644-16-0x0000000000000000-mapping.dmp
-
memory/1684-152-0x0000000000000000-mapping.dmp
-
memory/1780-104-0x0000000000000000-mapping.dmp
-
memory/1792-145-0x0000000001300000-0x000000000130B000-memory.dmpFilesize
44KB
-
memory/1792-143-0x0000000001300000-0x000000000130B000-memory.dmpFilesize
44KB
-
memory/1792-141-0x0000000000000000-mapping.dmp
-
memory/1828-148-0x0000000001300000-0x000000000130B000-memory.dmpFilesize
44KB
-
memory/1828-147-0x0000000001300000-0x000000000130B000-memory.dmpFilesize
44KB
-
memory/1828-144-0x0000000000000000-mapping.dmp
-
memory/1828-59-0x0000000000000000-mapping.dmp
-
memory/1836-44-0x0000000000000000-mapping.dmp
-
memory/1848-17-0x0000000000000000-mapping.dmp
-
memory/1852-47-0x000000000041E2B0-mapping.dmp
-
memory/1856-71-0x000000000041E2B0-mapping.dmp
-
memory/1900-112-0x0000000000000000-mapping.dmp
-
memory/2060-123-0x0000000000000000-mapping.dmp
-
memory/2076-153-0x0000000000000000-mapping.dmp
-
memory/2140-52-0x00000000011C0000-0x00000000011E7000-memory.dmpFilesize
156KB
-
memory/2140-51-0x00000000011C0000-0x00000000011E7000-memory.dmpFilesize
156KB
-
memory/2140-50-0x0000000000000000-mapping.dmp
-
memory/2144-74-0x0000000000000000-mapping.dmp
-
memory/2144-165-0x0000000000000000-mapping.dmp
-
memory/2148-18-0x0000000000000000-mapping.dmp
-
memory/2160-48-0x0000000000000000-mapping.dmp
-
memory/2172-63-0x0000000000000000-mapping.dmp
-
memory/2196-116-0x0000000000D40000-0x0000000000EB3000-memory.dmpFilesize
1.4MB
-
memory/2196-117-0x0000000000D40000-0x0000000000EB3000-memory.dmpFilesize
1.4MB
-
memory/2196-113-0x0000000000000000-mapping.dmp
-
memory/2200-19-0x0000000000000000-mapping.dmp
-
memory/2228-61-0x0000000001300000-0x000000000130B000-memory.dmpFilesize
44KB
-
memory/2228-58-0x0000000000000000-mapping.dmp
-
memory/2228-60-0x0000000001300000-0x000000000130B000-memory.dmpFilesize
44KB
-
memory/2232-146-0x0000000000000000-mapping.dmp
-
memory/2336-135-0x0000000000000000-mapping.dmp
-
memory/2336-42-0x0000000000000000-mapping.dmp
-
memory/2340-170-0x0000000000000000-mapping.dmp
-
memory/2384-21-0x000000000041E2B0-mapping.dmp
-
memory/2524-169-0x0000000000EE0000-0x0000000000F07000-memory.dmpFilesize
156KB
-
memory/2524-168-0x0000000000EE0000-0x0000000000F07000-memory.dmpFilesize
156KB
-
memory/2524-167-0x0000000000000000-mapping.dmp
-
memory/2540-66-0x000000000041E2B0-mapping.dmp
-
memory/2544-175-0x0000000000000000-mapping.dmp
-
memory/2688-158-0x000000000041E2B0-mapping.dmp
-
memory/2688-85-0x0000000000000000-mapping.dmp
-
memory/2836-98-0x0000000000000000-mapping.dmp
-
memory/2840-22-0x0000000000000000-mapping.dmp
-
memory/2988-114-0x0000000000000000-mapping.dmp
-
memory/3008-26-0x0000000000000000-mapping.dmp
-
memory/3016-115-0x0000000000000000-mapping.dmp
-
memory/3020-106-0x000000000B400000-0x000000000B574000-memory.dmpFilesize
1.5MB
-
memory/3020-171-0x000000000A690000-0x000000000A773000-memory.dmpFilesize
908KB
-
memory/3020-37-0x0000000009510000-0x00000000096A1000-memory.dmpFilesize
1.6MB
-
memory/3020-53-0x00000000096B0000-0x00000000097C2000-memory.dmpFilesize
1.1MB
-
memory/3020-31-0x00000000077C0000-0x0000000007949000-memory.dmpFilesize
1.5MB
-
memory/3020-139-0x000000000BDB0000-0x000000000BF4B000-memory.dmpFilesize
1.6MB
-
memory/3020-162-0x000000000C0E0000-0x000000000C287000-memory.dmpFilesize
1.7MB
-
memory/3020-121-0x000000000BAB0000-0x000000000BBCE000-memory.dmpFilesize
1.1MB
-
memory/3020-62-0x0000000009D10000-0x0000000009E6E000-memory.dmpFilesize
1.4MB
-
memory/3020-99-0x000000000B2C0000-0x000000000B3F6000-memory.dmpFilesize
1.2MB
-
memory/3020-45-0x0000000007B00000-0x0000000007BCC000-memory.dmpFilesize
816KB
-
memory/3020-57-0x0000000008080000-0x0000000008177000-memory.dmpFilesize
988KB
-
memory/3020-72-0x00000000097D0000-0x000000000988F000-memory.dmpFilesize
764KB
-
memory/3028-159-0x0000000000000000-mapping.dmp
-
memory/3060-82-0x0000000000000000-mapping.dmp
-
memory/3108-23-0x0000000000000000-mapping.dmp
-
memory/3224-86-0x0000000000000000-mapping.dmp
-
memory/3276-8-0x0000000000000000-mapping.dmp
-
memory/3316-25-0x000000000041E2B0-mapping.dmp
-
memory/3328-133-0x0000000000D40000-0x0000000000EB3000-memory.dmpFilesize
1.4MB
-
memory/3328-131-0x0000000000000000-mapping.dmp
-
memory/3328-134-0x0000000000D40000-0x0000000000EB3000-memory.dmpFilesize
1.4MB
-
memory/3376-73-0x0000000000000000-mapping.dmp
-
memory/3420-125-0x0000000000000000-mapping.dmp
-
memory/3476-34-0x0000000000000000-mapping.dmp
-
memory/3512-173-0x000000000041E2B0-mapping.dmp
-
memory/3512-3-0x0000000000000000-mapping.dmp
-
memory/3592-130-0x0000000000F20000-0x0000000000F79000-memory.dmpFilesize
356KB
-
memory/3592-132-0x0000000000F20000-0x0000000000F79000-memory.dmpFilesize
356KB
-
memory/3592-129-0x0000000000000000-mapping.dmp
-
memory/3604-111-0x0000000000000000-mapping.dmp
-
memory/3660-5-0x000000000041E2B0-mapping.dmp
-
memory/3680-101-0x0000000001040000-0x0000000001060000-memory.dmpFilesize
128KB
-
memory/3680-97-0x0000000000000000-mapping.dmp
-
memory/3680-100-0x0000000001040000-0x0000000001060000-memory.dmpFilesize
128KB
-
memory/3704-110-0x000000000041E2B0-mapping.dmp
-
memory/3708-83-0x0000000001210000-0x000000000121C000-memory.dmpFilesize
48KB
-
memory/3708-84-0x0000000001210000-0x000000000121C000-memory.dmpFilesize
48KB
-
memory/3708-81-0x0000000000000000-mapping.dmp
-
memory/3720-75-0x0000000000000000-mapping.dmp
-
memory/3724-67-0x0000000000000000-mapping.dmp
-
memory/3824-95-0x0000000000000000-mapping.dmp
-
memory/3824-28-0x0000000000000000-mapping.dmp
-
memory/3832-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3832-1-0x000000000041E2B0-mapping.dmp
-
memory/3836-27-0x0000000000000000-mapping.dmp
-
memory/3840-122-0x0000000000000000-mapping.dmp
-
memory/3840-124-0x0000000000EE0000-0x000000000131F000-memory.dmpFilesize
4.2MB
-
memory/3840-126-0x0000000000EE0000-0x000000000131F000-memory.dmpFilesize
4.2MB
-
memory/3844-161-0x0000000000000000-mapping.dmp
-
memory/3860-69-0x0000000000000000-mapping.dmp
-
memory/3892-56-0x000000000041E2B0-mapping.dmp
-
memory/3912-88-0x000000000041E2B0-mapping.dmp
-
memory/3932-120-0x0000000000000000-mapping.dmp
-
memory/3936-2-0x0000000000000000-mapping.dmp
-
memory/3948-43-0x0000000000000000-mapping.dmp
-
memory/3952-138-0x0000000000140000-0x0000000000157000-memory.dmpFilesize
92KB
-
memory/3952-137-0x0000000000140000-0x0000000000157000-memory.dmpFilesize
92KB
-
memory/3952-136-0x0000000000000000-mapping.dmp
-
memory/3972-156-0x0000000001240000-0x000000000125F000-memory.dmpFilesize
124KB
-
memory/3972-155-0x0000000001240000-0x000000000125F000-memory.dmpFilesize
124KB
-
memory/3972-154-0x0000000000000000-mapping.dmp
-
memory/4004-6-0x0000000000000000-mapping.dmp
-
memory/4012-7-0x0000000000000000-mapping.dmp
-
memory/4012-174-0x0000000000000000-mapping.dmp