fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe
Size

1.2MB
MD5

819cebc553434a1b12318d80f63ebd96
SHA1

4209938a74864071e1294f884d62920b332b6285
SHA256

fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659
SHA512

02a4b1a9f1a9bc1774d0d12f2ae3469f9c87000b023844470b8c2341fb1409632d5a5b310d3a2ebbe319a0c4c221ff998ede83728300fce3684562f5d5274b07
SSDEEP

24576:tkTS97PSPQJX6qTquZ0eyKjIGER2+pYhUBQ5suPJVWQn652mOVb6lIUR:tkEXYuCcxQYB5DPvds06aq

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1644	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 23 IoCs

Process Discovery

T1057

pid	Process
1156	tasklist.exe
2320	tasklist.exe
1420	tasklist.exe
1060	tasklist.exe
2004	tasklist.exe
388	tasklist.exe
2404	tasklist.exe
2644	tasklist.exe
1240	tasklist.exe
556	tasklist.exe
2120	tasklist.exe
2632	tasklist.exe
1080	tasklist.exe
2608	tasklist.exe
2176	tasklist.exe
1632	tasklist.exe
3028	tasklist.exe
2584	tasklist.exe
880	tasklist.exe
2028	tasklist.exe
2944	tasklist.exe
1560	tasklist.exe
1808	tasklist.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	tasklist.exe
Token: SeDebugPrivilege	2644	tasklist.exe
Token: SeDebugPrivilege	1240	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	1156	tasklist.exe
Token: SeDebugPrivilege	1420	tasklist.exe
Token: SeDebugPrivilege	1632	tasklist.exe
Token: SeDebugPrivilege	2944	tasklist.exe
Token: SeDebugPrivilege	3028	tasklist.exe
Token: SeDebugPrivilege	2120	tasklist.exe
Token: SeDebugPrivilege	1060	tasklist.exe
Token: SeDebugPrivilege	1560	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	2632	tasklist.exe
Token: SeDebugPrivilege	1808	tasklist.exe
Token: SeDebugPrivilege	1080	tasklist.exe
Token: SeDebugPrivilege	2608	tasklist.exe
Token: SeDebugPrivilege	388	tasklist.exe
Token: SeDebugPrivilege	2320	tasklist.exe
Token: SeDebugPrivilege	2584	tasklist.exe
Token: SeDebugPrivilege	880	tasklist.exe
Token: SeDebugPrivilege	2404	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1952	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	28
PID 2400 wrote to memory of 1952	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	28
PID 2400 wrote to memory of 1952	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	28
PID 2400 wrote to memory of 1952	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	28
PID 1952 wrote to memory of 1644	1952	cmd.exe	30
PID 1952 wrote to memory of 1644	1952	cmd.exe	30
PID 1952 wrote to memory of 1644	1952	cmd.exe	30
PID 1952 wrote to memory of 1644	1952	cmd.exe	30
PID 2400 wrote to memory of 2176	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	31
PID 2400 wrote to memory of 2176	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	31
PID 2400 wrote to memory of 2176	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	31
PID 2400 wrote to memory of 2176	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	31
PID 2400 wrote to memory of 2644	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	34
PID 2400 wrote to memory of 2644	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	34
PID 2400 wrote to memory of 2644	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	34
PID 2400 wrote to memory of 2644	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	34
PID 2400 wrote to memory of 1240	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	36
PID 2400 wrote to memory of 1240	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	36
PID 2400 wrote to memory of 1240	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	36
PID 2400 wrote to memory of 1240	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	36
PID 2400 wrote to memory of 556	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	40
PID 2400 wrote to memory of 556	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	40
PID 2400 wrote to memory of 556	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	40
PID 2400 wrote to memory of 556	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	40
PID 2400 wrote to memory of 1156	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	42
PID 2400 wrote to memory of 1156	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	42
PID 2400 wrote to memory of 1156	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	42
PID 2400 wrote to memory of 1156	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	42
PID 2400 wrote to memory of 1420	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	44
PID 2400 wrote to memory of 1420	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	44
PID 2400 wrote to memory of 1420	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	44
PID 2400 wrote to memory of 1420	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	44
PID 2400 wrote to memory of 1632	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	46
PID 2400 wrote to memory of 1632	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	46
PID 2400 wrote to memory of 1632	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	46
PID 2400 wrote to memory of 1632	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	46
PID 2400 wrote to memory of 2944	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	48
PID 2400 wrote to memory of 2944	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	48
PID 2400 wrote to memory of 2944	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	48
PID 2400 wrote to memory of 2944	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	48
PID 2400 wrote to memory of 3028	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	50
PID 2400 wrote to memory of 3028	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	50
PID 2400 wrote to memory of 3028	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	50
PID 2400 wrote to memory of 3028	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	50
PID 2400 wrote to memory of 2120	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	52
PID 2400 wrote to memory of 2120	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	52
PID 2400 wrote to memory of 2120	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	52
PID 2400 wrote to memory of 2120	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	52
PID 2400 wrote to memory of 1060	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	54
PID 2400 wrote to memory of 1060	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	54
PID 2400 wrote to memory of 1060	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	54
PID 2400 wrote to memory of 1060	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	54
PID 2400 wrote to memory of 1560	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	56
PID 2400 wrote to memory of 1560	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	56
PID 2400 wrote to memory of 1560	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	56
PID 2400 wrote to memory of 1560	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	56
PID 2400 wrote to memory of 2004	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	58
PID 2400 wrote to memory of 2004	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	58
PID 2400 wrote to memory of 2004	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	58
PID 2400 wrote to memory of 2004	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	58
PID 2400 wrote to memory of 2632	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	60
PID 2400 wrote to memory of 2632	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	60
PID 2400 wrote to memory of 2632	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	60
PID 2400 wrote to memory of 2632	2400	fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe	60

C:\Users\Admin\AppData\Local\Temp\fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fe96c32ee5e4a68691e1cca8b1898bd2376d592bc4e7e7330e1e91fde4a96659exe_JC.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C icacls system_file.exe /setintegritylevel high
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\icacls.exe
    icacls system_file.exe /setintegritylevel high
    3⤵
    - Modifies file permissions
    PID:1644
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system_file.exe

Filesize
215KB

MD5
ab8005a639986338c3e8ba55cb7dfe6e

SHA1
be03dd0851eb84386145222595cfd942d81dbe6f

SHA256
7d9c3fd77a05d0b6eea87e3efd51d521487390e4c8b1bfad373a5c0c72f27ec9

SHA512
72e5f871fdf9fef05772f5a86e40b3b181194875f0420bf8daf9b8614e2b0974c55ad991bc0b26d6485f4ade0483a54b418eed840d42e1253b98ffe3202c3a4e

Download Submit
memory/2400-56-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2400-58-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-59-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2400-62-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-64-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-68-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-72-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-75-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-78-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-80-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-85-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-93-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-97-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-101-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-105-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download
memory/2400-110-0x0000000000320000-0x0000000000464000-memory.dmp

Filesize
1.3MB

Download