ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7v200430
submitted
14/07/2020, 18:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

L3PRj.dat.exe
Size

836KB
MD5

3c0d0301f6db7f6aee371c163349838c
SHA1

1d0bd91e8fc2e6fb8bdefde8a315193d3d6b03e5
SHA256

ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
SHA512

ddc3a72b0fd14956ba7e37c67e632669768b22ed946af65cbe9647f67f3b48f4c795ec5dd5c7bf4cdb180abd41d20d2a6ccc8aa38d7680c1af3c93c9ce4abbfb

Score

8^/10

persistence spyware discovery

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	L3PRj.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	L3PRj.dat.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
360	PING.EXE

Views/modifies file attributes 1 TTPs 48 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1564	attrib.exe
1864	attrib.exe
1504	attrib.exe
1784	attrib.exe
564	attrib.exe
1852	attrib.exe
1612	attrib.exe
1604	attrib.exe
1672	attrib.exe
980	attrib.exe
1620	attrib.exe
1920	attrib.exe
1324	attrib.exe
1828	attrib.exe
1772	attrib.exe
1780	attrib.exe
428	attrib.exe
1588	attrib.exe
1656	attrib.exe
1336	attrib.exe
1800	attrib.exe
1908	attrib.exe
1916	attrib.exe
656	attrib.exe
1872	attrib.exe
292	attrib.exe
1252	attrib.exe
1076	attrib.exe
1240	attrib.exe
1792	attrib.exe
1808	attrib.exe
1820	attrib.exe
524	attrib.exe
1440	attrib.exe
1664	attrib.exe
1084	attrib.exe
1616	attrib.exe
1544	attrib.exe
1868	attrib.exe
1520	attrib.exe
1724	attrib.exe
1840	attrib.exe
1268	attrib.exe
1508	attrib.exe
1580	attrib.exe
1896	attrib.exe
1856	attrib.exe
1964	attrib.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1448	SearchIndexer.com
1448	SearchIndexer.com
1448	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 740 set thread context of 1964	740	SearchIndexer.com	77

Executes dropped EXE 2 IoCs

pid	Process
1448	SearchIndexer.com
740	SearchIndexer.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1448	SearchIndexer.com
1448	SearchIndexer.com
1448	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com

Suspicious behavior: MapViewOfSection 48 IoCs

pid	Process
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com
740	SearchIndexer.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 213 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1048	880	L3PRj.dat.exe	24
PID 880 wrote to memory of 1048	880	L3PRj.dat.exe	24
PID 880 wrote to memory of 1048	880	L3PRj.dat.exe	24
PID 880 wrote to memory of 1048	880	L3PRj.dat.exe	24
PID 1048 wrote to memory of 1384	1048	cmd.exe	26
PID 1048 wrote to memory of 1384	1048	cmd.exe	26
PID 1048 wrote to memory of 1384	1048	cmd.exe	26
PID 1048 wrote to memory of 1384	1048	cmd.exe	26
PID 1048 wrote to memory of 1448	1048	cmd.exe	27
PID 1048 wrote to memory of 1448	1048	cmd.exe	27
PID 1048 wrote to memory of 1448	1048	cmd.exe	27
PID 1048 wrote to memory of 1448	1048	cmd.exe	27
PID 1448 wrote to memory of 740	1448	SearchIndexer.com	28
PID 1448 wrote to memory of 740	1448	SearchIndexer.com	28
PID 1448 wrote to memory of 740	1448	SearchIndexer.com	28
PID 1448 wrote to memory of 740	1448	SearchIndexer.com	28
PID 1048 wrote to memory of 360	1048	cmd.exe	29
PID 1048 wrote to memory of 360	1048	cmd.exe	29
PID 1048 wrote to memory of 360	1048	cmd.exe	29
PID 1048 wrote to memory of 360	1048	cmd.exe	29
PID 740 wrote to memory of 1076	740	SearchIndexer.com	30
PID 740 wrote to memory of 1076	740	SearchIndexer.com	30
PID 740 wrote to memory of 1076	740	SearchIndexer.com	30
PID 740 wrote to memory of 1076	740	SearchIndexer.com	30
PID 740 wrote to memory of 1084	740	SearchIndexer.com	31
PID 740 wrote to memory of 1084	740	SearchIndexer.com	31
PID 740 wrote to memory of 1084	740	SearchIndexer.com	31
PID 740 wrote to memory of 1084	740	SearchIndexer.com	31
PID 740 wrote to memory of 1520	740	SearchIndexer.com	32
PID 740 wrote to memory of 1520	740	SearchIndexer.com	32
PID 740 wrote to memory of 1520	740	SearchIndexer.com	32
PID 740 wrote to memory of 1520	740	SearchIndexer.com	32
PID 740 wrote to memory of 1504	740	SearchIndexer.com	33
PID 740 wrote to memory of 1504	740	SearchIndexer.com	33
PID 740 wrote to memory of 1504	740	SearchIndexer.com	33
PID 740 wrote to memory of 1504	740	SearchIndexer.com	33
PID 740 wrote to memory of 1656	740	SearchIndexer.com	34
PID 740 wrote to memory of 1656	740	SearchIndexer.com	34
PID 740 wrote to memory of 1656	740	SearchIndexer.com	34
PID 740 wrote to memory of 1656	740	SearchIndexer.com	34
PID 740 wrote to memory of 1672	740	SearchIndexer.com	35
PID 740 wrote to memory of 1672	740	SearchIndexer.com	35
PID 740 wrote to memory of 1672	740	SearchIndexer.com	35
PID 740 wrote to memory of 1672	740	SearchIndexer.com	35
PID 740 wrote to memory of 1336	740	SearchIndexer.com	36
PID 740 wrote to memory of 1336	740	SearchIndexer.com	36
PID 740 wrote to memory of 1336	740	SearchIndexer.com	36
PID 740 wrote to memory of 1336	740	SearchIndexer.com	36
PID 740 wrote to memory of 1324	740	SearchIndexer.com	37
PID 740 wrote to memory of 1324	740	SearchIndexer.com	37
PID 740 wrote to memory of 1324	740	SearchIndexer.com	37
PID 740 wrote to memory of 1324	740	SearchIndexer.com	37
PID 740 wrote to memory of 1240	740	SearchIndexer.com	38
PID 740 wrote to memory of 1240	740	SearchIndexer.com	38
PID 740 wrote to memory of 1240	740	SearchIndexer.com	38
PID 740 wrote to memory of 1240	740	SearchIndexer.com	38
PID 740 wrote to memory of 1792	740	SearchIndexer.com	39
PID 740 wrote to memory of 1792	740	SearchIndexer.com	39
PID 740 wrote to memory of 1792	740	SearchIndexer.com	39
PID 740 wrote to memory of 1792	740	SearchIndexer.com	39
PID 740 wrote to memory of 1808	740	SearchIndexer.com	40
PID 740 wrote to memory of 1808	740	SearchIndexer.com	40
PID 740 wrote to memory of 1808	740	SearchIndexer.com	40
PID 740 wrote to memory of 1808	740	SearchIndexer.com	40
PID 740 wrote to memory of 1800	740	SearchIndexer.com	41
PID 740 wrote to memory of 1800	740	SearchIndexer.com	41
PID 740 wrote to memory of 1800	740	SearchIndexer.com	41
PID 740 wrote to memory of 1800	740	SearchIndexer.com	41
PID 740 wrote to memory of 1828	740	SearchIndexer.com	42
PID 740 wrote to memory of 1828	740	SearchIndexer.com	42
PID 740 wrote to memory of 1828	740	SearchIndexer.com	42
PID 740 wrote to memory of 1828	740	SearchIndexer.com	42
PID 740 wrote to memory of 1820	740	SearchIndexer.com	43
PID 740 wrote to memory of 1820	740	SearchIndexer.com	43
PID 740 wrote to memory of 1820	740	SearchIndexer.com	43
PID 740 wrote to memory of 1820	740	SearchIndexer.com	43
PID 740 wrote to memory of 1724	740	SearchIndexer.com	44
PID 740 wrote to memory of 1724	740	SearchIndexer.com	44
PID 740 wrote to memory of 1724	740	SearchIndexer.com	44
PID 740 wrote to memory of 1724	740	SearchIndexer.com	44
PID 740 wrote to memory of 1840	740	SearchIndexer.com	45
PID 740 wrote to memory of 1840	740	SearchIndexer.com	45
PID 740 wrote to memory of 1840	740	SearchIndexer.com	45
PID 740 wrote to memory of 1840	740	SearchIndexer.com	45
PID 740 wrote to memory of 1772	740	SearchIndexer.com	46
PID 740 wrote to memory of 1772	740	SearchIndexer.com	46
PID 740 wrote to memory of 1772	740	SearchIndexer.com	46
PID 740 wrote to memory of 1772	740	SearchIndexer.com	46
PID 740 wrote to memory of 1780	740	SearchIndexer.com	47
PID 740 wrote to memory of 1780	740	SearchIndexer.com	47
PID 740 wrote to memory of 1780	740	SearchIndexer.com	47
PID 740 wrote to memory of 1780	740	SearchIndexer.com	47
PID 740 wrote to memory of 1784	740	SearchIndexer.com	48
PID 740 wrote to memory of 1784	740	SearchIndexer.com	48
PID 740 wrote to memory of 1784	740	SearchIndexer.com	48
PID 740 wrote to memory of 1784	740	SearchIndexer.com	48
PID 740 wrote to memory of 428	740	SearchIndexer.com	49
PID 740 wrote to memory of 428	740	SearchIndexer.com	49
PID 740 wrote to memory of 428	740	SearchIndexer.com	49
PID 740 wrote to memory of 428	740	SearchIndexer.com	49
PID 740 wrote to memory of 656	740	SearchIndexer.com	50
PID 740 wrote to memory of 656	740	SearchIndexer.com	50
PID 740 wrote to memory of 656	740	SearchIndexer.com	50
PID 740 wrote to memory of 656	740	SearchIndexer.com	50
PID 740 wrote to memory of 524	740	SearchIndexer.com	51
PID 740 wrote to memory of 524	740	SearchIndexer.com	51
PID 740 wrote to memory of 524	740	SearchIndexer.com	51
PID 740 wrote to memory of 524	740	SearchIndexer.com	51
PID 740 wrote to memory of 292	740	SearchIndexer.com	52
PID 740 wrote to memory of 292	740	SearchIndexer.com	52
PID 740 wrote to memory of 292	740	SearchIndexer.com	52
PID 740 wrote to memory of 292	740	SearchIndexer.com	52
PID 740 wrote to memory of 1252	740	SearchIndexer.com	53
PID 740 wrote to memory of 1252	740	SearchIndexer.com	53
PID 740 wrote to memory of 1252	740	SearchIndexer.com	53
PID 740 wrote to memory of 1252	740	SearchIndexer.com	53
PID 740 wrote to memory of 980	740	SearchIndexer.com	54
PID 740 wrote to memory of 980	740	SearchIndexer.com	54
PID 740 wrote to memory of 980	740	SearchIndexer.com	54
PID 740 wrote to memory of 980	740	SearchIndexer.com	54
PID 740 wrote to memory of 1440	740	SearchIndexer.com	55
PID 740 wrote to memory of 1440	740	SearchIndexer.com	55
PID 740 wrote to memory of 1440	740	SearchIndexer.com	55
PID 740 wrote to memory of 1440	740	SearchIndexer.com	55
PID 740 wrote to memory of 564	740	SearchIndexer.com	56
PID 740 wrote to memory of 564	740	SearchIndexer.com	56
PID 740 wrote to memory of 564	740	SearchIndexer.com	56
PID 740 wrote to memory of 564	740	SearchIndexer.com	56
PID 740 wrote to memory of 1268	740	SearchIndexer.com	57
PID 740 wrote to memory of 1268	740	SearchIndexer.com	57
PID 740 wrote to memory of 1268	740	SearchIndexer.com	57
PID 740 wrote to memory of 1268	740	SearchIndexer.com	57
PID 740 wrote to memory of 1508	740	SearchIndexer.com	58
PID 740 wrote to memory of 1508	740	SearchIndexer.com	58
PID 740 wrote to memory of 1508	740	SearchIndexer.com	58
PID 740 wrote to memory of 1508	740	SearchIndexer.com	58
PID 740 wrote to memory of 1616	740	SearchIndexer.com	59
PID 740 wrote to memory of 1616	740	SearchIndexer.com	59
PID 740 wrote to memory of 1616	740	SearchIndexer.com	59
PID 740 wrote to memory of 1616	740	SearchIndexer.com	59
PID 740 wrote to memory of 1620	740	SearchIndexer.com	60
PID 740 wrote to memory of 1620	740	SearchIndexer.com	60
PID 740 wrote to memory of 1620	740	SearchIndexer.com	60
PID 740 wrote to memory of 1620	740	SearchIndexer.com	60
PID 740 wrote to memory of 1852	740	SearchIndexer.com	61
PID 740 wrote to memory of 1852	740	SearchIndexer.com	61
PID 740 wrote to memory of 1852	740	SearchIndexer.com	61
PID 740 wrote to memory of 1852	740	SearchIndexer.com	61
PID 740 wrote to memory of 1580	740	SearchIndexer.com	62
PID 740 wrote to memory of 1580	740	SearchIndexer.com	62
PID 740 wrote to memory of 1580	740	SearchIndexer.com	62
PID 740 wrote to memory of 1580	740	SearchIndexer.com	62
PID 740 wrote to memory of 1588	740	SearchIndexer.com	63
PID 740 wrote to memory of 1588	740	SearchIndexer.com	63
PID 740 wrote to memory of 1588	740	SearchIndexer.com	63
PID 740 wrote to memory of 1588	740	SearchIndexer.com	63
PID 740 wrote to memory of 1612	740	SearchIndexer.com	64
PID 740 wrote to memory of 1612	740	SearchIndexer.com	64
PID 740 wrote to memory of 1612	740	SearchIndexer.com	64
PID 740 wrote to memory of 1612	740	SearchIndexer.com	64
PID 740 wrote to memory of 1604	740	SearchIndexer.com	65
PID 740 wrote to memory of 1604	740	SearchIndexer.com	65
PID 740 wrote to memory of 1604	740	SearchIndexer.com	65
PID 740 wrote to memory of 1604	740	SearchIndexer.com	65
PID 740 wrote to memory of 1664	740	SearchIndexer.com	66
PID 740 wrote to memory of 1664	740	SearchIndexer.com	66
PID 740 wrote to memory of 1664	740	SearchIndexer.com	66
PID 740 wrote to memory of 1664	740	SearchIndexer.com	66
PID 740 wrote to memory of 1564	740	SearchIndexer.com	67
PID 740 wrote to memory of 1564	740	SearchIndexer.com	67
PID 740 wrote to memory of 1564	740	SearchIndexer.com	67
PID 740 wrote to memory of 1564	740	SearchIndexer.com	67
PID 740 wrote to memory of 1544	740	SearchIndexer.com	68
PID 740 wrote to memory of 1544	740	SearchIndexer.com	68
PID 740 wrote to memory of 1544	740	SearchIndexer.com	68
PID 740 wrote to memory of 1544	740	SearchIndexer.com	68
PID 740 wrote to memory of 1868	740	SearchIndexer.com	69
PID 740 wrote to memory of 1868	740	SearchIndexer.com	69
PID 740 wrote to memory of 1868	740	SearchIndexer.com	69
PID 740 wrote to memory of 1868	740	SearchIndexer.com	69
PID 740 wrote to memory of 1908	740	SearchIndexer.com	70
PID 740 wrote to memory of 1908	740	SearchIndexer.com	70
PID 740 wrote to memory of 1908	740	SearchIndexer.com	70
PID 740 wrote to memory of 1908	740	SearchIndexer.com	70
PID 740 wrote to memory of 1920	740	SearchIndexer.com	71
PID 740 wrote to memory of 1920	740	SearchIndexer.com	71
PID 740 wrote to memory of 1920	740	SearchIndexer.com	71
PID 740 wrote to memory of 1920	740	SearchIndexer.com	71
PID 740 wrote to memory of 1872	740	SearchIndexer.com	72
PID 740 wrote to memory of 1872	740	SearchIndexer.com	72
PID 740 wrote to memory of 1872	740	SearchIndexer.com	72
PID 740 wrote to memory of 1872	740	SearchIndexer.com	72
PID 740 wrote to memory of 1896	740	SearchIndexer.com	73
PID 740 wrote to memory of 1896	740	SearchIndexer.com	73
PID 740 wrote to memory of 1896	740	SearchIndexer.com	73
PID 740 wrote to memory of 1896	740	SearchIndexer.com	73
PID 740 wrote to memory of 1856	740	SearchIndexer.com	74
PID 740 wrote to memory of 1856	740	SearchIndexer.com	74
PID 740 wrote to memory of 1856	740	SearchIndexer.com	74
PID 740 wrote to memory of 1856	740	SearchIndexer.com	74
PID 740 wrote to memory of 1864	740	SearchIndexer.com	75
PID 740 wrote to memory of 1864	740	SearchIndexer.com	75
PID 740 wrote to memory of 1864	740	SearchIndexer.com	75
PID 740 wrote to memory of 1864	740	SearchIndexer.com	75
PID 740 wrote to memory of 1916	740	SearchIndexer.com	76
PID 740 wrote to memory of 1916	740	SearchIndexer.com	76
PID 740 wrote to memory of 1916	740	SearchIndexer.com	76
PID 740 wrote to memory of 1916	740	SearchIndexer.com	76
PID 740 wrote to memory of 1964	740	SearchIndexer.com	77
PID 740 wrote to memory of 1964	740	SearchIndexer.com	77
PID 740 wrote to memory of 1964	740	SearchIndexer.com	77
PID 740 wrote to memory of 1964	740	SearchIndexer.com	77
PID 740 wrote to memory of 1964	740	SearchIndexer.com	77

Loads dropped DLL 2 IoCs

pid	Process
1048	cmd.exe
1448	SearchIndexer.com

C:\Users\Admin\AppData\Local\Temp\L3PRj.dat.exe
"C:\Users\Admin\AppData\Local\Temp\L3PRj.dat.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c <nul set /p ="M" > SearchIndexer.com & type RSAzhE.com >> SearchIndexer.com & del RSAzhE.com & certutil -decode TLW.com A & SearchIndexer.com A & ping 127.0.0.1 -n 3
  2⤵
  - Suspicious use of WriteProcessMemory
  - Loads dropped DLL
  PID:1048
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode TLW.com A
    3⤵
    PID:1384
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.com
    SearchIndexer.com A
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    - Loads dropped DLL
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.com
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.com A
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1076
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1084
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1520
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1504
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1656
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1672
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1336
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1324
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1240
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1792
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1808
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1800
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1828
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1820
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1724
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1840
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1772
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1780
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1784
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:428
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:656
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:524
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:292
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1252
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:980
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1440
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:564
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1268
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1508
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1616
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1620
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1852
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1580
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1588
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1612
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1604
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1664
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1564
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1544
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1868
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1908
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1920
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1872
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1896
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1856
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1864
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1916
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1964
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads