f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf

Analysis

max time kernel
103s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 08:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Size

111KB
MD5

7bf66cc8b59405f094f888e9288c3193
SHA1

57e50078af3afdc73bb1afaafee8fd37ff378a29
SHA256

f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf
SHA512

2cc2ecb4e74ac3192ee98955b91c888130bf8adf78f778f2628dea0b38d8aab7d6fb0d3b841e6e01b5656b2e8a38014d410d0bda12e70e46a6f30d8ba58fc1bd
SSDEEP

1536:58DhEmyiDdKzGIXP1z8ykqgR/QM1cl9+GvoQ+1cs2lQJvEeP2z8Ooad+y1iz3/7J:GhM4dKzPrkNR/QM1cli20mJoty1ir7J

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3944	netsh.exe
3632	netsh.exe
4320	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4180	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
1352	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
5012	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
5044	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
4476	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
4240	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
2248	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
2184	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
312	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
2508	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
4784	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	1352	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	5012	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	5044	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	4476	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	4240	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	2248	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	2184	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	312	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	2508	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
Token: SeDebugPrivilege	4784	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 1352	4180	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	82
PID 4180 wrote to memory of 1352	4180	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	82
PID 1352 wrote to memory of 5012	1352	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	83
PID 1352 wrote to memory of 5012	1352	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	83
PID 5012 wrote to memory of 3632	5012	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	84
PID 5012 wrote to memory of 3632	5012	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	84
PID 5012 wrote to memory of 5044	5012	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	93
PID 5012 wrote to memory of 5044	5012	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	93
PID 5044 wrote to memory of 4320	5044	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	94
PID 5044 wrote to memory of 4320	5044	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	94
PID 5044 wrote to memory of 4476	5044	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	96
PID 5044 wrote to memory of 4476	5044	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	96
PID 4476 wrote to memory of 3944	4476	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	98
PID 4476 wrote to memory of 3944	4476	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	98
PID 4476 wrote to memory of 4240	4476	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	99
PID 4476 wrote to memory of 4240	4476	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	99
PID 4240 wrote to memory of 2248	4240	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	100
PID 4240 wrote to memory of 2248	4240	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	100
PID 2248 wrote to memory of 2184	2248	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	101
PID 2248 wrote to memory of 2184	2248	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	101
PID 2184 wrote to memory of 312	2184	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	102
PID 2184 wrote to memory of 312	2184	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	102
PID 312 wrote to memory of 2508	312	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	103
PID 312 wrote to memory of 2508	312	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	103
PID 2508 wrote to memory of 4784	2508	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	104
PID 2508 wrote to memory of 4784	2508	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	104
PID 4784 wrote to memory of 2076	4784	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	105
PID 4784 wrote to memory of 2076	4784	f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe	105

C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
"C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
  C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
    C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe" "f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
      C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe" "f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4320
    - - C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe" "f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3944
      - C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        12⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        13⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        14⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        15⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        16⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        17⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        18⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        19⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        20⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        21⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        22⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        23⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        24⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        25⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        26⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        27⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        28⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        29⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        30⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        31⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        32⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        33⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        34⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        35⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        36⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        37⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        38⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        39⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        40⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        41⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        42⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        43⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        44⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        45⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        46⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        47⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        48⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        49⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        50⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        51⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        52⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        53⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        54⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        55⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        56⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        57⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        58⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        59⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        
        C:\Users\Admin\AppData\Local\Temp\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe
        60⤵
        
        PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\f5366a6ba2ca9b2802d79b58cb8741d5044921ffd6c1947053fb6cdc726297cf.exe.log

Filesize
411B

MD5
9774c3b4296df91e49d647fcb2a4f921

SHA1
b5ca5278992e103cd2977b9690ce2f1b056eea0f

SHA256
fbe34159000076c6b7fe9eba31d76a875451959de628ea573719d484b2501825

SHA512
c7fc3fc8c82236134f1202917c61e20c6e178a1d9af7806fdadf5fced26081c09d457be43616a2213885ae23178b1d21e53672af23263a6d33c725baec9cff46

Download Submit
memory/312-152-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/1008-226-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/1020-162-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/1232-184-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/1352-135-0x00007FFA783C0000-0x00007FFA78DF6000-memory.dmp

Filesize
10.2MB

Download
memory/1468-244-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/1568-204-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/1592-210-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/1600-228-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/1708-214-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/1724-254-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/1800-206-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/1864-164-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/1880-248-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/1960-182-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/1968-240-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2016-170-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2036-172-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2076-158-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2168-246-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2184-150-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/2248-148-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/2300-242-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2316-212-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/2352-188-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/2368-166-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2372-222-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2420-236-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2508-154-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/2556-238-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/2724-208-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/2948-186-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/3156-190-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/3596-174-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/3788-202-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/3920-216-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/3992-180-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/4052-224-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/4128-194-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/4180-132-0x00007FFA783C0000-0x00007FFA78DF6000-memory.dmp

Filesize
10.2MB

Download
memory/4240-146-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/4260-200-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/4332-160-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/4476-250-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/4476-143-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/4580-234-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/4700-196-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/4728-178-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/4772-252-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/4784-156-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/4804-192-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/4888-232-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/4928-176-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/4996-198-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/5012-137-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/5016-218-0x00007FFA774C0000-0x00007FFA77EF6000-memory.dmp

Filesize
10.2MB

Download
memory/5036-168-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/5044-140-0x00007FFA78550000-0x00007FFA78F86000-memory.dmp

Filesize
10.2MB

Download
memory/5056-230-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download
memory/5116-220-0x00007FFA78660000-0x00007FFA79096000-memory.dmp

Filesize
10.2MB

Download