Resubmissions
05-10-2022 11:39
221005-nsrtyaedfm 905-10-2022 08:12
221005-j3wtesdfg7 905-10-2022 06:56
221005-hqhwcsdeg8 9Analysis
-
max time kernel
108s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
05-10-2022 06:56
General
-
Target
830004.exe
-
Size
691KB
-
MD5
58aea2aac89947773dfae8e3859e20b0
-
SHA1
be17c41c65703f9475e36dff55fd3de220e395f3
-
SHA256
39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
-
SHA512
f3d43c0759b05b949498cc63084b54b869c228a427f1590a1010007b4bdbebf760145a29e5f1a7c5585133ed76a3c1a5d7bf2ace46858ac9a48ff5c05eafa6eb
-
SSDEEP
12288:i0iads6yn93ySQDWYgeWYg955/155/m6q5iKn3zMCO342FoqdXS:dicFyn93ySQJ5f34Jo2Fi
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Delays execution with timeout.exe 56 IoCs
-
Enumerates processes with tasklist 1 TTPs 57 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 59 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\830004.exe"C:\Users\Admin\AppData\Local\Temp\830004.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Settings\9t4T8k5j8.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net config server /autodisconnect:-12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet config server /autodisconnect:-13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config server /autodisconnect:-14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Settings\9t4T8k5j8.batFilesize
163B
MD53578e838f655c9bd9426651cc13f6a84
SHA110b312cca508e1958507cd3f8a6feae72f6a3a3d
SHA25642f5a94a41364f4ab334ab6bf3638b1861d3a10b7684df6e5968567ca5027bde
SHA5124ccd6320fe0eb7dccd3b322ffbb94b9f718123dec2781f9f9404e3c520628f8f9d544b88189dda079a8f431cebdecc7a3cd94e37d21eb9257fdc65408465a995
-
memory/224-189-0x0000000000000000-mapping.dmp
-
memory/696-134-0x0000000000000000-mapping.dmp
-
memory/916-186-0x0000000000000000-mapping.dmp
-
memory/1152-170-0x0000000000000000-mapping.dmp
-
memory/1232-191-0x0000000000000000-mapping.dmp
-
memory/1372-185-0x0000000000000000-mapping.dmp
-
memory/1372-142-0x0000000000000000-mapping.dmp
-
memory/1376-164-0x0000000000000000-mapping.dmp
-
memory/1452-136-0x0000000000000000-mapping.dmp
-
memory/1480-148-0x0000000000000000-mapping.dmp
-
memory/1612-178-0x0000000000000000-mapping.dmp
-
memory/1664-153-0x0000000000000000-mapping.dmp
-
memory/1824-196-0x0000000000000000-mapping.dmp
-
memory/1832-173-0x0000000000000000-mapping.dmp
-
memory/1880-155-0x0000000000000000-mapping.dmp
-
memory/1960-139-0x0000000000000000-mapping.dmp
-
memory/2004-160-0x0000000000000000-mapping.dmp
-
memory/2080-133-0x0000000000000000-mapping.dmp
-
memory/2088-161-0x0000000000000000-mapping.dmp
-
memory/2100-143-0x0000000000000000-mapping.dmp
-
memory/2108-137-0x0000000000000000-mapping.dmp
-
memory/2148-183-0x0000000000000000-mapping.dmp
-
memory/2220-181-0x0000000000000000-mapping.dmp
-
memory/2264-174-0x0000000000000000-mapping.dmp
-
memory/2704-154-0x0000000000000000-mapping.dmp
-
memory/2876-175-0x0000000000000000-mapping.dmp
-
memory/2944-141-0x0000000000000000-mapping.dmp
-
memory/2972-182-0x0000000000000000-mapping.dmp
-
memory/3000-167-0x0000000000000000-mapping.dmp
-
memory/3016-195-0x0000000000000000-mapping.dmp
-
memory/3040-144-0x0000000000000000-mapping.dmp
-
memory/3048-180-0x0000000000000000-mapping.dmp
-
memory/3180-157-0x0000000000000000-mapping.dmp
-
memory/3236-188-0x0000000000000000-mapping.dmp
-
memory/3268-156-0x0000000000000000-mapping.dmp
-
memory/3368-177-0x0000000000000000-mapping.dmp
-
memory/3504-151-0x0000000000000000-mapping.dmp
-
memory/3652-179-0x0000000000000000-mapping.dmp
-
memory/3716-158-0x0000000000000000-mapping.dmp
-
memory/3816-145-0x0000000000000000-mapping.dmp
-
memory/3932-132-0x0000000000000000-mapping.dmp
-
memory/4024-171-0x0000000000000000-mapping.dmp
-
memory/4128-193-0x0000000000000000-mapping.dmp
-
memory/4188-146-0x0000000000000000-mapping.dmp
-
memory/4192-162-0x0000000000000000-mapping.dmp
-
memory/4236-147-0x0000000000000000-mapping.dmp
-
memory/4244-187-0x0000000000000000-mapping.dmp
-
memory/4252-150-0x0000000000000000-mapping.dmp
-
memory/4264-166-0x0000000000000000-mapping.dmp
-
memory/4288-149-0x0000000000000000-mapping.dmp
-
memory/4288-192-0x0000000000000000-mapping.dmp
-
memory/4316-169-0x0000000000000000-mapping.dmp
-
memory/4440-184-0x0000000000000000-mapping.dmp
-
memory/4484-176-0x0000000000000000-mapping.dmp
-
memory/4504-190-0x0000000000000000-mapping.dmp
-
memory/4516-159-0x0000000000000000-mapping.dmp
-
memory/4572-194-0x0000000000000000-mapping.dmp
-
memory/4664-152-0x0000000000000000-mapping.dmp
-
memory/4724-165-0x0000000000000000-mapping.dmp
-
memory/4900-163-0x0000000000000000-mapping.dmp
-
memory/4936-172-0x0000000000000000-mapping.dmp
-
memory/5024-168-0x0000000000000000-mapping.dmp
-
memory/5080-140-0x0000000000000000-mapping.dmp
-
memory/5084-138-0x0000000000000000-mapping.dmp