Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

Resubmissions

03/07/2024, 16:04

240703-thygmaycpc 10

01/07/2024, 18:12

240701-ws6xvswbkj 10

01/07/2024, 18:03

240701-wm5sls1gka 10

01/07/2024, 18:03

240701-wm39sa1gjf 10

01/07/2024, 18:03

240701-wm2e7avhkj 10

01/07/2024, 18:03

240701-wmzxcs1fre 10

01/07/2024, 18:02

240701-wmzats1frc 10

01/07/2024, 18:02

240701-wmvbwa1fqh 10

22/11/2023, 17:02

231122-vkac9adg64 10

Analysis

  • max time kernel
    1783s
  • max time network
    1718s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19/11/2020, 13:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Score
10/10
discoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
URLs

https://we.tl/t-T9WE5uiVT6

Signatures

  • Executes dropped EXE 24 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 30 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 29 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:3944
    • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Modifies extensions of user files
      • Drops desktop.ini file(s)
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2112 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2352
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3932 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2404
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2924 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1040
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1840 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3104
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2908 -s 5808
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1992
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3040
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2252
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1368
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3184 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1992
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1976 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3528
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2232 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2188
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3616 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4004
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3704 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2292
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3360 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:688
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3752 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3080
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2824 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3508
  • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      2⤵
      • Executes dropped EXE
      PID:400
      • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 400 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Executes dropped EXE
        PID:3236
    • C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\0854849c-746a-4dfb-a930-9c35ff4d7295\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3636 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      2⤵
      • Executes dropped EXE
      PID:32

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/32-299-0x0000000000750000-0x0000000000790000-memory.dmp

    Filesize

    256KB

    Download

  • memory/32-298-0x00000000021E0000-0x00000000021E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/400-297-0x0000000002110000-0x0000000002111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/400-300-0x0000000000510000-0x0000000000550000-memory.dmp

    Filesize

    256KB

    Download

  • memory/688-258-0x0000000000600000-0x0000000000640000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1040-165-0x00000000021A0000-0x00000000021A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1040-205-0x00000000006E0000-0x0000000000720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1840-19-0x0000000002150000-0x0000000002151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1840-20-0x000000000077A000-0x00000000007BA000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1840-21-0x0000000002150000-0x0000000002151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1976-209-0x0000000000680000-0x00000000006C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1976-208-0x0000000002430000-0x0000000002431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-135-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-168-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-72-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-74-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-76-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-78-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-80-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-82-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-85-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-87-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-89-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-91-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-93-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-95-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-97-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-99-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-101-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-103-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-107-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-111-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-113-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-115-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-117-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-119-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-121-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-123-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-125-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-127-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-129-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-131-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-133-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-57-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-137-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-139-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-141-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-143-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-145-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-147-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-149-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-151-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-59-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-155-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-157-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-159-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-161-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-163-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-54-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-61-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-166-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-50-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-170-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-172-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-174-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-176-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-178-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-180-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-182-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-184-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-186-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-188-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-190-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-192-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-194-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-196-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-22-0x0000021698590000-0x0000021698591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-200-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-202-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-204-0x00000216A49B0000-0x00000216A49B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-67-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-52-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-65-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-63-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-198-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-23-0x0000021698590000-0x0000021698591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-70-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-25-0x0000021699B00000-0x0000021699B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-48-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-26-0x0000021699B00000-0x0000021699B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-46-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-44-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-42-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-40-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-38-0x0000021698560000-0x0000021698561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-37-0x000002169A160000-0x000002169A161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-227-0x0000000000680000-0x00000000006C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2112-13-0x00000000008B0000-0x00000000008F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2112-12-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-247-0x00000000006E0000-0x0000000000720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2232-243-0x00000000005A0000-0x00000000005E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2232-240-0x00000000021B0000-0x00000000021B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-261-0x0000000002150000-0x0000000002151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-262-0x0000000000640000-0x0000000000680000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2352-16-0x00000000022F0000-0x00000000022F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-17-0x00000000007F0000-0x0000000000830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2404-14-0x0000000000670000-0x00000000006B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2404-11-0x00000000022D0000-0x00000000022D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-264-0x00000000022D0000-0x00000000022D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-265-0x00000000007D0000-0x0000000000810000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-69-0x0000000000620000-0x0000000000660000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-35-0x00000000021E0000-0x00000000021E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3080-288-0x00000000020C0000-0x00000000020C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3080-289-0x0000000000680000-0x00000000006C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3104-34-0x0000000002250000-0x0000000002251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3104-55-0x0000000000620000-0x0000000000660000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3184-213-0x0000000002060000-0x0000000002061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3184-223-0x00000000006D0000-0x0000000000710000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3236-304-0x00000000004E0000-0x0000000000520000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3236-303-0x0000000002300000-0x0000000002301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3360-249-0x0000000002460000-0x0000000002461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3360-250-0x00000000006F0000-0x0000000000730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3508-273-0x00000000007D0000-0x0000000000810000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3508-271-0x0000000002340000-0x0000000002341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3528-222-0x0000000000730000-0x0000000000770000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3528-215-0x0000000002200000-0x0000000002201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3616-233-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3616-234-0x00000000005E0000-0x0000000000620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3636-291-0x0000000002380000-0x0000000002381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3636-292-0x0000000000870000-0x00000000008B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3704-255-0x00000000022F0000-0x00000000022F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3704-257-0x00000000004F0000-0x0000000000530000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3752-270-0x00000000022A0000-0x00000000022A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3752-272-0x0000000000530000-0x0000000000570000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3920-1-0x000000000082A000-0x000000000086A000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3920-0-0x0000000002460000-0x0000000002461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3932-6-0x0000000000700000-0x0000000000740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3932-5-0x0000000002200000-0x0000000002201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4004-242-0x00000000004E0000-0x0000000000520000-memory.dmp

    Filesize

    256KB

    Download