501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe
Size

2.1MB
MD5

34597bd8d6fd56c99db5ef23f1a61924
SHA1

fbcf6058c106f4110002875befa0fbc8e957670a
SHA256

501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495
SHA512

af364eed28a27991b600b2bead8319d01ce5318572620e3ab2f1d0a962f70607c11b19b96a5782095355751a8823b5c0b1801cf4c67449ed613a89e1646a39b9
SSDEEP

49152:7TD/sqM5pQr+eBLVyZEaKFVAmf5eZRqg1AKpABgh2RCBZm+2j:nD/lM5pE+evqE7AmxeZJy3BgkRcZa

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

244.exeglow esp 11.22.2017.exetmp.exehostdl.exedefender.exe

pid process

4828 244.exe
624 glow esp 11.22.2017.exe
1556 tmp.exe
3040 hostdl.exe
3560 defender.exe

pid	process
4828	244.exe
624	glow esp 11.22.2017.exe
1556	tmp.exe
3040	hostdl.exe
3560	defender.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1337\glow esp 11.22.2017.exe	vmprotect
C:\Users\Admin\AppData\Roaming\1337\glow esp 11.22.2017.exe	vmprotect
behavioral2/memory/624-140-0x00000000003C0000-0x00000000007C9000-memory.dmp	vmprotect
behavioral2/memory/624-146-0x00000000003C0000-0x00000000007C9000-memory.dmp	vmprotect
behavioral2/memory/624-173-0x00000000003C0000-0x00000000007C9000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe244.exetmp.exehostdl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	244.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	hostdl.exe

Loads dropped DLL 1 IoCs

Processes:

501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe

pid process

4848 501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe

pid	process
4848	501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Defender\\defender.exe\""	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host-process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Network\\Connections\\hostdl.exe\""	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

glow esp 11.22.2017.exe

pid process

624 glow esp 11.22.2017.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

glow esp 11.22.2017.exe244.exehostdl.exe

pid	process
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
4828	244.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
624	glow esp 11.22.2017.exe
624	glow esp 11.22.2017.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe
3040	hostdl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

244.exetmp.exehostdl.exe

description pid process

Token: SeDebugPrivilege 4828 244.exe
Token: SeDebugPrivilege 1556 tmp.exe
Token: SeDebugPrivilege 3040 hostdl.exe

description	pid	process
Token: SeDebugPrivilege	4828	244.exe
Token: SeDebugPrivilege	1556	tmp.exe
Token: SeDebugPrivilege	3040	hostdl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe244.exetmp.exeglow esp 11.22.2017.execsc.exehostdl.exe

description	pid	process	target process
PID 4848 wrote to memory of 4828	4848	501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe	244.exe
PID 4848 wrote to memory of 4828	4848	501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe	244.exe
PID 4848 wrote to memory of 4828	4848	501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe	244.exe
PID 4848 wrote to memory of 624	4848	501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe	glow esp 11.22.2017.exe
PID 4848 wrote to memory of 624	4848	501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe	glow esp 11.22.2017.exe
PID 4848 wrote to memory of 624	4848	501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe	glow esp 11.22.2017.exe
PID 4828 wrote to memory of 1556	4828	244.exe	tmp.exe
PID 4828 wrote to memory of 1556	4828	244.exe	tmp.exe
PID 4828 wrote to memory of 1556	4828	244.exe	tmp.exe
PID 1556 wrote to memory of 2256	1556	tmp.exe	csc.exe
PID 1556 wrote to memory of 2256	1556	tmp.exe	csc.exe
PID 1556 wrote to memory of 2256	1556	tmp.exe	csc.exe
PID 624 wrote to memory of 2336	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 2336	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 2336	624	glow esp 11.22.2017.exe	cmd.exe
PID 2256 wrote to memory of 3744	2256	csc.exe	cvtres.exe
PID 2256 wrote to memory of 3744	2256	csc.exe	cvtres.exe
PID 2256 wrote to memory of 3744	2256	csc.exe	cvtres.exe
PID 1556 wrote to memory of 3040	1556	tmp.exe	hostdl.exe
PID 1556 wrote to memory of 3040	1556	tmp.exe	hostdl.exe
PID 1556 wrote to memory of 3040	1556	tmp.exe	hostdl.exe
PID 624 wrote to memory of 4576	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4576	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4576	624	glow esp 11.22.2017.exe	cmd.exe
PID 3040 wrote to memory of 3560	3040	hostdl.exe	defender.exe
PID 3040 wrote to memory of 3560	3040	hostdl.exe	defender.exe
PID 624 wrote to memory of 4080	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4080	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4080	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 2696	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 2696	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 2696	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 2948	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 2948	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 2948	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1704	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1704	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1704	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3848	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3848	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3848	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1988	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1988	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1988	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1800	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1800	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 1800	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4948	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4948	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4948	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3008	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3008	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3008	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4784	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4784	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 4784	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 5064	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 5064	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 5064	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3748	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3748	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 3748	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 900	624	glow esp 11.22.2017.exe	cmd.exe
PID 624 wrote to memory of 900	624	glow esp 11.22.2017.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe
"C:\Users\Admin\AppData\Local\Temp\501079482648396c40bba81e38661c35ff927a8331ce8d4d23e5e5b34b844495.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Roaming\1337\244.exe
"C:\Users\Admin\AppData\Roaming\1337\244.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0g1xt1ci\0g1xt1ci.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE999.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender\CSC32C4F76678514568B047E7DCA267C1.TMP"
5⤵
PID:3744

C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\hostdl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\hostdl.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender\defender.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender\defender.exe"
5⤵
- Executes dropped EXE
PID:3560

C:\Users\Admin\AppData\Roaming\1337\glow esp 11.22.2017.exe
"C:\Users\Admin\AppData\Roaming\1337\glow esp 11.22.2017.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE999.tmp
Filesize
2KB

MD5
6fc7cfd0826a919a9e6462aec231a788

SHA1
e04ee83a87b241f0b3f7d5a2a7836a22d8e5556b

SHA256
859c35c3b3f0826a4842d455d12850dfa43c0d70f3f996988f15b2cf73a247e8

SHA512
00b7fb8e30b8020f356b9c07b872afb91908880dcf2aee206015943a435e43561c227fda98cf585276f8231f6e6b9a090a2c472ea9f2b1ea73071c96db9309eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjD23B.tmp\System.dll
Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
7e5fb3372131c3225971f6b0d2e9ec31

SHA1
e0a6b89d8391587743de8cf497f1a3a0ee3b465f

SHA256
22327ce73a390271706ca3967a19c122f812513636c34899d9ea96a34021110e

SHA512
683641de5daba2bc66048402097828ce980f9206457f9a9d8b15a672bab1b375753a3996d9f282aeda105fd124cd3ae41e9c40041625245ae259e4357ca2eee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
68KB

MD5
7e5fb3372131c3225971f6b0d2e9ec31

SHA1
e0a6b89d8391587743de8cf497f1a3a0ee3b465f

SHA256
22327ce73a390271706ca3967a19c122f812513636c34899d9ea96a34021110e

SHA512
683641de5daba2bc66048402097828ce980f9206457f9a9d8b15a672bab1b375753a3996d9f282aeda105fd124cd3ae41e9c40041625245ae259e4357ca2eee9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\244.exe
Filesize
353KB

MD5
3a00a24d7b916aef6d05665e1be7234b

SHA1
0174d689dc55ce67363b91ab77b6908da794703a

SHA256
bd1d3c5b9d76930cc869b7915a75999948939f23996c97864f0900997eb6580b

SHA512
a23c03b18fd708ef18adaf58f6e81d9036c6310342f3a2a812f639018d2e9e51197d27fe5ce6ca995651d47a0c90450e8ab3dc9a74c67a335edd3d9142a6397a

Download Submit
C:\Users\Admin\AppData\Roaming\1337\244.exe
Filesize
353KB

MD5
3a00a24d7b916aef6d05665e1be7234b

SHA1
0174d689dc55ce67363b91ab77b6908da794703a

SHA256
bd1d3c5b9d76930cc869b7915a75999948939f23996c97864f0900997eb6580b

SHA512
a23c03b18fd708ef18adaf58f6e81d9036c6310342f3a2a812f639018d2e9e51197d27fe5ce6ca995651d47a0c90450e8ab3dc9a74c67a335edd3d9142a6397a

Download Submit
C:\Users\Admin\AppData\Roaming\1337\glow esp 11.22.2017.exe
Filesize
2.0MB

MD5
fae7d28753fe215a1f00e89611dce9fd

SHA1
a0fa7f0d3cd9d18bb39fad9f6789cc4c2817c208

SHA256
c4c94851196d7c39ba05a5d59a8c7855ff0471b825e33ae1ddaeab308f6b685a

SHA512
72eecce078b27d450083b3627fc481e4f30a8a544c2ad6c8b9a9fc140bfb3a5b2ce7a9cc7665a1f79d34f9e13256cebe451e67a75c108c289232ca850cf0de21

Download Submit
C:\Users\Admin\AppData\Roaming\1337\glow esp 11.22.2017.exe
Filesize
2.0MB

MD5
fae7d28753fe215a1f00e89611dce9fd

SHA1
a0fa7f0d3cd9d18bb39fad9f6789cc4c2817c208

SHA256
c4c94851196d7c39ba05a5d59a8c7855ff0471b825e33ae1ddaeab308f6b685a

SHA512
72eecce078b27d450083b3627fc481e4f30a8a544c2ad6c8b9a9fc140bfb3a5b2ce7a9cc7665a1f79d34f9e13256cebe451e67a75c108c289232ca850cf0de21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\hostdl.exe
Filesize
68KB

MD5
7e5fb3372131c3225971f6b0d2e9ec31

SHA1
e0a6b89d8391587743de8cf497f1a3a0ee3b465f

SHA256
22327ce73a390271706ca3967a19c122f812513636c34899d9ea96a34021110e

SHA512
683641de5daba2bc66048402097828ce980f9206457f9a9d8b15a672bab1b375753a3996d9f282aeda105fd124cd3ae41e9c40041625245ae259e4357ca2eee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\hostdl.exe
Filesize
68KB

MD5
7e5fb3372131c3225971f6b0d2e9ec31

SHA1
e0a6b89d8391587743de8cf497f1a3a0ee3b465f

SHA256
22327ce73a390271706ca3967a19c122f812513636c34899d9ea96a34021110e

SHA512
683641de5daba2bc66048402097828ce980f9206457f9a9d8b15a672bab1b375753a3996d9f282aeda105fd124cd3ae41e9c40041625245ae259e4357ca2eee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender\defender.exe
Filesize
5KB

MD5
d4092522d62cdd411da05745426ccb33

SHA1
cd399f820ed933bd0f629dfb00dd5b822c03afea

SHA256
5b7c32072df4b3a3fb365f5b22ecdac6fba1612f6617ffa17518033c9d496f6c

SHA512
c74dd97551b4f57d86ac23dd133d8065c4f970ae578200ea508f09a07c66b53acec489cf82fb1df476644fb84c064104e315a3e18f78326c234c9bbdc2c9b1b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender\defender.exe
Filesize
5KB

MD5
d4092522d62cdd411da05745426ccb33

SHA1
cd399f820ed933bd0f629dfb00dd5b822c03afea

SHA256
5b7c32072df4b3a3fb365f5b22ecdac6fba1612f6617ffa17518033c9d496f6c

SHA512
c74dd97551b4f57d86ac23dd133d8065c4f970ae578200ea508f09a07c66b53acec489cf82fb1df476644fb84c064104e315a3e18f78326c234c9bbdc2c9b1b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0g1xt1ci\0g1xt1ci.0.cs
Filesize
2KB

MD5
50180ea27bfbfa0de4ee418f544ee9be

SHA1
67f84234fd2fd617036d1acf2d00a0c49221a5dc

SHA256
5daeda4696563882f8ed740ea3da91e5052629efdb3e2d915df71d04eb3a25f3

SHA512
ff693286018f01438b30016c5cf30130532753fea074f26c64953c8f16d028f109e30efc429826cd8e386540a2c1203cb7a365786ac372c1495c9de3d46f5787

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0g1xt1ci\0g1xt1ci.cmdline
Filesize
222B

MD5
3b7ab6482c01c01bd4359c00dbdd12b2

SHA1
71d8737d28b88aeb209ab826df77082ccba92f48

SHA256
8a24e99a58e0160aa69597cb5885c2d29c5a632a9e621141e85e1907d57a9783

SHA512
c4276834b50e6e26535fceba96f2c80ce3cfa74545c035c921d70ff86effe846e3185923dc2a67368be94297558c7b4af2958473ee2187f47e7a671e4ee96b4e

Download Submit
\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows Defender\CSC32C4F76678514568B047E7DCA267C1.TMP
Filesize
1KB

MD5
69ecb58edcff91274e5bb9f6ca671005

SHA1
8f388093d958b449b9d54bfc8bda4ebc9536c289

SHA256
1dd2dd72f1e180e5b764aac987d96d490d05aedd6c91d2cafd2597120b8c7ac4

SHA512
ff728b090b3a04aeab8362cfef5ee33987e7100c31941f5c54c6557cee93302eb69b4818d55cc101bb2bc743ac8ce7e74bccb501f2bafcc7e3cb3fd410592ee2

Download Submit
memory/112-221-0x0000000000000000-mapping.dmp

Download
memory/456-195-0x0000000000000000-mapping.dmp

Download
memory/624-140-0x00000000003C0000-0x00000000007C9000-memory.dmp

Filesize
4.0MB

Download
memory/624-173-0x00000000003C0000-0x00000000007C9000-memory.dmp

Filesize
4.0MB

Download
memory/624-146-0x00000000003C0000-0x00000000007C9000-memory.dmp

Filesize
4.0MB

Download
memory/624-136-0x0000000000000000-mapping.dmp

Download
memory/628-210-0x0000000000000000-mapping.dmp

Download
memory/900-183-0x0000000000000000-mapping.dmp

Download
memory/956-184-0x0000000000000000-mapping.dmp

Download
memory/1112-208-0x0000000000000000-mapping.dmp

Download
memory/1356-212-0x0000000000000000-mapping.dmp

Download
memory/1556-148-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/1556-143-0x0000000000000000-mapping.dmp

Download
memory/1556-158-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/1556-147-0x00000000008B0000-0x00000000008C8000-memory.dmp

Filesize
96KB

Download
memory/1556-157-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/1584-197-0x0000000000000000-mapping.dmp

Download
memory/1704-170-0x0000000000000000-mapping.dmp

Download
memory/1772-199-0x0000000000000000-mapping.dmp

Download
memory/1800-176-0x0000000000000000-mapping.dmp

Download
memory/1836-218-0x0000000000000000-mapping.dmp

Download
memory/1888-202-0x0000000000000000-mapping.dmp

Download
memory/1912-209-0x0000000000000000-mapping.dmp

Download
memory/1988-175-0x0000000000000000-mapping.dmp

Download
memory/2256-149-0x0000000000000000-mapping.dmp

Download
memory/2308-190-0x0000000000000000-mapping.dmp

Download
memory/2336-150-0x0000000000000000-mapping.dmp

Download
memory/2380-196-0x0000000000000000-mapping.dmp

Download
memory/2396-191-0x0000000000000000-mapping.dmp

Download
memory/2404-186-0x0000000000000000-mapping.dmp

Download
memory/2460-189-0x0000000000000000-mapping.dmp

Download
memory/2696-223-0x0000000000000000-mapping.dmp

Download
memory/2696-168-0x0000000000000000-mapping.dmp

Download
memory/2948-169-0x0000000000000000-mapping.dmp

Download
memory/3008-179-0x0000000000000000-mapping.dmp

Download
memory/3036-215-0x0000000000000000-mapping.dmp

Download
memory/3040-159-0x0000000000000000-mapping.dmp

Download
memory/3056-217-0x0000000000000000-mapping.dmp

Download
memory/3124-188-0x0000000000000000-mapping.dmp

Download
memory/3132-193-0x0000000000000000-mapping.dmp

Download
memory/3140-198-0x0000000000000000-mapping.dmp

Download
memory/3152-204-0x0000000000000000-mapping.dmp

Download
memory/3452-185-0x0000000000000000-mapping.dmp

Download
memory/3468-222-0x0000000000000000-mapping.dmp

Download
memory/3560-163-0x0000000000000000-mapping.dmp

Download
memory/3560-167-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3560-177-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/3560-165-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/3664-211-0x0000000000000000-mapping.dmp

Download
memory/3720-219-0x0000000000000000-mapping.dmp

Download
memory/3744-153-0x0000000000000000-mapping.dmp

Download
memory/3748-182-0x0000000000000000-mapping.dmp

Download
memory/3796-225-0x0000000000000000-mapping.dmp

Download
memory/3848-174-0x0000000000000000-mapping.dmp

Download
memory/3992-203-0x0000000000000000-mapping.dmp

Download
memory/4080-166-0x0000000000000000-mapping.dmp

Download
memory/4092-214-0x0000000000000000-mapping.dmp

Download
memory/4120-201-0x0000000000000000-mapping.dmp

Download
memory/4280-192-0x0000000000000000-mapping.dmp

Download
memory/4328-224-0x0000000000000000-mapping.dmp

Download
memory/4376-213-0x0000000000000000-mapping.dmp

Download
memory/4396-207-0x0000000000000000-mapping.dmp

Download
memory/4420-200-0x0000000000000000-mapping.dmp

Download
memory/4576-220-0x0000000000000000-mapping.dmp

Download
memory/4576-162-0x0000000000000000-mapping.dmp

Download
memory/4784-180-0x0000000000000000-mapping.dmp

Download
memory/4824-206-0x0000000000000000-mapping.dmp

Download
memory/4828-171-0x00000000738B0000-0x0000000073E61000-memory.dmp

Filesize
5.7MB

Download
memory/4828-172-0x00000000738B0000-0x0000000073E61000-memory.dmp

Filesize
5.7MB

Download
memory/4828-133-0x0000000000000000-mapping.dmp

Download
memory/4828-139-0x00000000738B0000-0x0000000073E61000-memory.dmp

Filesize
5.7MB

Download
memory/4880-205-0x0000000000000000-mapping.dmp

Download
memory/4948-178-0x0000000000000000-mapping.dmp

Download
memory/4988-187-0x0000000000000000-mapping.dmp

Download
memory/5064-181-0x0000000000000000-mapping.dmp

Download
memory/5100-216-0x0000000000000000-mapping.dmp

Download
memory/5112-194-0x0000000000000000-mapping.dmp

Download