Analysis
-
max time kernel
163s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08/05/2022, 07:30
Static task
static1
Behavioral task
behavioral1
Sample
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
Resource
win10v2004-20220414-en
General
-
Target
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
-
Size
2.1MB
-
MD5
e42e185f70b5c89af184424bb35da929
-
SHA1
2023e739f67dca9aadfa3143678444b53d9711ed
-
SHA256
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e
-
SHA512
c6f171100ce8411246db5f49e7b7ace7780eefd6cce5490bb570f45d3abc928ae45d78f0d26d90e211612fe67f37942010a9ccd21d53efec8b77b13f9c534430
Malware Config
Signatures
-
BitRAT Payload 2 IoCs
resource yara_rule behavioral2/memory/2032-154-0x0000000000400000-0x000000000081E000-memory.dmp family_bitrat behavioral2/memory/2032-160-0x0000000000400000-0x000000000081E000-memory.dmp family_bitrat -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe\"" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
resource yara_rule behavioral2/memory/2032-148-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral2/memory/2032-149-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral2/memory/2032-154-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral2/memory/2032-150-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral2/memory/2032-160-0x0000000000400000-0x000000000081E000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 59 myexternalip.com 66 myexternalip.com 58 myexternalip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs
pid Process 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4180 set thread context of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1536 4180 WerFault.exe 80 -
Delays execution with timeout.exe 1 IoCs
pid Process 3084 timeout.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 3516 powershell.exe 4344 powershell.exe 2116 powershell.exe 2088 powershell.exe 3516 powershell.exe 4344 powershell.exe 2116 powershell.exe 2088 powershell.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Token: SeDebugPrivilege 4344 powershell.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeShutdownPrivilege 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2032 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4180 wrote to memory of 3084 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 82 PID 4180 wrote to memory of 3084 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 82 PID 4180 wrote to memory of 3084 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 82 PID 4180 wrote to memory of 4344 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 87 PID 4180 wrote to memory of 4344 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 87 PID 4180 wrote to memory of 4344 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 87 PID 4180 wrote to memory of 3516 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 89 PID 4180 wrote to memory of 3516 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 89 PID 4180 wrote to memory of 3516 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 89 PID 4180 wrote to memory of 2116 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 91 PID 4180 wrote to memory of 2116 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 91 PID 4180 wrote to memory of 2116 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 91 PID 4180 wrote to memory of 2088 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 93 PID 4180 wrote to memory of 2088 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 93 PID 4180 wrote to memory of 2088 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 93 PID 4180 wrote to memory of 4560 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 98 PID 4180 wrote to memory of 4560 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 98 PID 4180 wrote to memory of 4560 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 98 PID 4180 wrote to memory of 4748 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 99 PID 4180 wrote to memory of 4748 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 99 PID 4180 wrote to memory of 4748 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 99 PID 4180 wrote to memory of 2756 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 100 PID 4180 wrote to memory of 2756 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 100 PID 4180 wrote to memory of 2756 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 100 PID 4180 wrote to memory of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101 PID 4180 wrote to memory of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101 PID 4180 wrote to memory of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101 PID 4180 wrote to memory of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101 PID 4180 wrote to memory of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101 PID 4180 wrote to memory of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101 PID 4180 wrote to memory of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101 PID 4180 wrote to memory of 2032 4180 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\timeout.exetimeout 42⤵
- Delays execution with timeout.exe
PID:3084
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"2⤵PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"2⤵PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"2⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 15802⤵
- Program crash
PID:1536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4180 -ip 41801⤵PID:2076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD54a38d5b0b02b758b2880578f7b5f9f7b
SHA108219944009c483e3674240ebe75555c6d0f6e8c
SHA256b211519273748838dcc66e92727385a9f91c270987e014348511fd28f61669d9
SHA5128218cbe01f72ac490264fbf6ec030450f6b20c88e7eb3d0d3f27333bbd04059d4962393d20a76a9b1324c57dd21ca427c632010c83804a6844b09e9082de72a9
-
Filesize
18KB
MD5d51ca9e06574c673490e81c52ff7a38f
SHA143bb7f11f917ca94c75f785fd8abfc078c7d795b
SHA256287f0cd71a4dcde2cd52bb3629f2f1ef6203cfd04929d2f5694486b1e435b471
SHA512a260768d2078fbd648e2c4faa18a66a020ee33d5e3f2d28e5b66d954c61d3dded6b05ff9c91bb40f7a2f739a2d626638d98b3c00caa7bb2475138f3e20790868