8a26a1fc78612804d10ea95435bb65205075a183f0598c41c11867d65d68086d

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2023, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6986def88d46e71b55b9fc11c3febc2.exe
Size

3.6MB
MD5

f6986def88d46e71b55b9fc11c3febc2
SHA1

8e39145d463282a0b6d7c7631d8bdedecf60b905
SHA256

8a26a1fc78612804d10ea95435bb65205075a183f0598c41c11867d65d68086d
SHA512

cc550a7846eea571ed4f4c47421efe0c92295015d4a53853e35a28f41899e6ca561581263d88f1ca97744b1914a3d1b9fc7d360e9bb14ed050dfe75a5d991bdb
SSDEEP

98304:WezkIB1fuzYzgNTDcnmb8O+mUaolFLOAkGkzdnEVomFHKnPRU:WoPmb8O+mUaolFLOyomFHKnPRU

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f6986def88d46e71b55b9fc11c3febc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3832	f6986def88d46e71b55b9fc11c3febc2.exe
3832	f6986def88d46e71b55b9fc11c3febc2.exe
2836	f6986def88d46e71b55b9fc11c3febc2.exe
2836	f6986def88d46e71b55b9fc11c3febc2.exe
336	f6986def88d46e71b55b9fc11c3febc2.exe
336	f6986def88d46e71b55b9fc11c3febc2.exe
4728	f6986def88d46e71b55b9fc11c3febc2.exe
4728	f6986def88d46e71b55b9fc11c3febc2.exe
1100	f6986def88d46e71b55b9fc11c3febc2.exe
1100	f6986def88d46e71b55b9fc11c3febc2.exe
2580	f6986def88d46e71b55b9fc11c3febc2.exe
2580	f6986def88d46e71b55b9fc11c3febc2.exe
1860	f6986def88d46e71b55b9fc11c3febc2.exe
1860	f6986def88d46e71b55b9fc11c3febc2.exe
972	f6986def88d46e71b55b9fc11c3febc2.exe
972	f6986def88d46e71b55b9fc11c3febc2.exe
3168	f6986def88d46e71b55b9fc11c3febc2.exe
3168	f6986def88d46e71b55b9fc11c3febc2.exe
4368	f6986def88d46e71b55b9fc11c3febc2.exe
4368	f6986def88d46e71b55b9fc11c3febc2.exe
3816	f6986def88d46e71b55b9fc11c3febc2.exe
3816	f6986def88d46e71b55b9fc11c3febc2.exe
2536	f6986def88d46e71b55b9fc11c3febc2.exe
2536	f6986def88d46e71b55b9fc11c3febc2.exe
552	f6986def88d46e71b55b9fc11c3febc2.exe
552	f6986def88d46e71b55b9fc11c3febc2.exe
3316	f6986def88d46e71b55b9fc11c3febc2.exe
3316	f6986def88d46e71b55b9fc11c3febc2.exe
916	f6986def88d46e71b55b9fc11c3febc2.exe
916	f6986def88d46e71b55b9fc11c3febc2.exe
4308	f6986def88d46e71b55b9fc11c3febc2.exe
4308	f6986def88d46e71b55b9fc11c3febc2.exe
2436	f6986def88d46e71b55b9fc11c3febc2.exe
2436	f6986def88d46e71b55b9fc11c3febc2.exe
656	f6986def88d46e71b55b9fc11c3febc2.exe
656	f6986def88d46e71b55b9fc11c3febc2.exe
4000	f6986def88d46e71b55b9fc11c3febc2.exe
4000	f6986def88d46e71b55b9fc11c3febc2.exe
1948	f6986def88d46e71b55b9fc11c3febc2.exe
1948	f6986def88d46e71b55b9fc11c3febc2.exe
4424	f6986def88d46e71b55b9fc11c3febc2.exe
4424	f6986def88d46e71b55b9fc11c3febc2.exe
4612	f6986def88d46e71b55b9fc11c3febc2.exe
4612	f6986def88d46e71b55b9fc11c3febc2.exe
3852	f6986def88d46e71b55b9fc11c3febc2.exe
3852	f6986def88d46e71b55b9fc11c3febc2.exe
4396	f6986def88d46e71b55b9fc11c3febc2.exe
4396	f6986def88d46e71b55b9fc11c3febc2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2836	3832	f6986def88d46e71b55b9fc11c3febc2.exe	90
PID 3832 wrote to memory of 2836	3832	f6986def88d46e71b55b9fc11c3febc2.exe	90
PID 3832 wrote to memory of 2836	3832	f6986def88d46e71b55b9fc11c3febc2.exe	90
PID 2836 wrote to memory of 336	2836	f6986def88d46e71b55b9fc11c3febc2.exe	92
PID 2836 wrote to memory of 336	2836	f6986def88d46e71b55b9fc11c3febc2.exe	92
PID 2836 wrote to memory of 336	2836	f6986def88d46e71b55b9fc11c3febc2.exe	92
PID 336 wrote to memory of 4728	336	f6986def88d46e71b55b9fc11c3febc2.exe	93
PID 336 wrote to memory of 4728	336	f6986def88d46e71b55b9fc11c3febc2.exe	93
PID 336 wrote to memory of 4728	336	f6986def88d46e71b55b9fc11c3febc2.exe	93
PID 4728 wrote to memory of 1100	4728	f6986def88d46e71b55b9fc11c3febc2.exe	94
PID 4728 wrote to memory of 1100	4728	f6986def88d46e71b55b9fc11c3febc2.exe	94
PID 4728 wrote to memory of 1100	4728	f6986def88d46e71b55b9fc11c3febc2.exe	94
PID 1100 wrote to memory of 2580	1100	f6986def88d46e71b55b9fc11c3febc2.exe	97
PID 1100 wrote to memory of 2580	1100	f6986def88d46e71b55b9fc11c3febc2.exe	97
PID 1100 wrote to memory of 2580	1100	f6986def88d46e71b55b9fc11c3febc2.exe	97
PID 2580 wrote to memory of 1860	2580	f6986def88d46e71b55b9fc11c3febc2.exe	98
PID 2580 wrote to memory of 1860	2580	f6986def88d46e71b55b9fc11c3febc2.exe	98
PID 2580 wrote to memory of 1860	2580	f6986def88d46e71b55b9fc11c3febc2.exe	98
PID 1860 wrote to memory of 972	1860	f6986def88d46e71b55b9fc11c3febc2.exe	100
PID 1860 wrote to memory of 972	1860	f6986def88d46e71b55b9fc11c3febc2.exe	100
PID 1860 wrote to memory of 972	1860	f6986def88d46e71b55b9fc11c3febc2.exe	100
PID 972 wrote to memory of 3168	972	f6986def88d46e71b55b9fc11c3febc2.exe	101
PID 972 wrote to memory of 3168	972	f6986def88d46e71b55b9fc11c3febc2.exe	101
PID 972 wrote to memory of 3168	972	f6986def88d46e71b55b9fc11c3febc2.exe	101
PID 3168 wrote to memory of 4368	3168	f6986def88d46e71b55b9fc11c3febc2.exe	102
PID 3168 wrote to memory of 4368	3168	f6986def88d46e71b55b9fc11c3febc2.exe	102
PID 3168 wrote to memory of 4368	3168	f6986def88d46e71b55b9fc11c3febc2.exe	102
PID 4368 wrote to memory of 3816	4368	f6986def88d46e71b55b9fc11c3febc2.exe	103
PID 4368 wrote to memory of 3816	4368	f6986def88d46e71b55b9fc11c3febc2.exe	103
PID 4368 wrote to memory of 3816	4368	f6986def88d46e71b55b9fc11c3febc2.exe	103
PID 3816 wrote to memory of 2536	3816	f6986def88d46e71b55b9fc11c3febc2.exe	104
PID 3816 wrote to memory of 2536	3816	f6986def88d46e71b55b9fc11c3febc2.exe	104
PID 3816 wrote to memory of 2536	3816	f6986def88d46e71b55b9fc11c3febc2.exe	104
PID 2536 wrote to memory of 552	2536	f6986def88d46e71b55b9fc11c3febc2.exe	105
PID 2536 wrote to memory of 552	2536	f6986def88d46e71b55b9fc11c3febc2.exe	105
PID 2536 wrote to memory of 552	2536	f6986def88d46e71b55b9fc11c3febc2.exe	105
PID 552 wrote to memory of 3316	552	f6986def88d46e71b55b9fc11c3febc2.exe	106
PID 552 wrote to memory of 3316	552	f6986def88d46e71b55b9fc11c3febc2.exe	106
PID 552 wrote to memory of 3316	552	f6986def88d46e71b55b9fc11c3febc2.exe	106
PID 3316 wrote to memory of 1560	3316	f6986def88d46e71b55b9fc11c3febc2.exe	107
PID 3316 wrote to memory of 1560	3316	f6986def88d46e71b55b9fc11c3febc2.exe	107
PID 3316 wrote to memory of 1560	3316	f6986def88d46e71b55b9fc11c3febc2.exe	107
PID 916 wrote to memory of 4308	916	f6986def88d46e71b55b9fc11c3febc2.exe	109
PID 916 wrote to memory of 4308	916	f6986def88d46e71b55b9fc11c3febc2.exe	109
PID 916 wrote to memory of 4308	916	f6986def88d46e71b55b9fc11c3febc2.exe	109
PID 4308 wrote to memory of 2436	4308	f6986def88d46e71b55b9fc11c3febc2.exe	110
PID 4308 wrote to memory of 2436	4308	f6986def88d46e71b55b9fc11c3febc2.exe	110
PID 4308 wrote to memory of 2436	4308	f6986def88d46e71b55b9fc11c3febc2.exe	110
PID 2436 wrote to memory of 656	2436	f6986def88d46e71b55b9fc11c3febc2.exe	111
PID 2436 wrote to memory of 656	2436	f6986def88d46e71b55b9fc11c3febc2.exe	111
PID 2436 wrote to memory of 656	2436	f6986def88d46e71b55b9fc11c3febc2.exe	111
PID 656 wrote to memory of 4000	656	f6986def88d46e71b55b9fc11c3febc2.exe	112
PID 656 wrote to memory of 4000	656	f6986def88d46e71b55b9fc11c3febc2.exe	112
PID 656 wrote to memory of 4000	656	f6986def88d46e71b55b9fc11c3febc2.exe	112
PID 4000 wrote to memory of 1948	4000	f6986def88d46e71b55b9fc11c3febc2.exe	113
PID 4000 wrote to memory of 1948	4000	f6986def88d46e71b55b9fc11c3febc2.exe	113
PID 4000 wrote to memory of 1948	4000	f6986def88d46e71b55b9fc11c3febc2.exe	113
PID 1948 wrote to memory of 4424	1948	f6986def88d46e71b55b9fc11c3febc2.exe	114
PID 1948 wrote to memory of 4424	1948	f6986def88d46e71b55b9fc11c3febc2.exe	114
PID 1948 wrote to memory of 4424	1948	f6986def88d46e71b55b9fc11c3febc2.exe	114
PID 4424 wrote to memory of 4612	4424	f6986def88d46e71b55b9fc11c3febc2.exe	115
PID 4424 wrote to memory of 4612	4424	f6986def88d46e71b55b9fc11c3febc2.exe	115
PID 4424 wrote to memory of 4612	4424	f6986def88d46e71b55b9fc11c3febc2.exe	115
PID 4612 wrote to memory of 3852	4612	f6986def88d46e71b55b9fc11c3febc2.exe	116

C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
"C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
  "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
    "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
      "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        5⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        6⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        7⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        8⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        9⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        10⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        11⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        12⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        13⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        14⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        15⤵
        Checks computer location settings
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        16⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        17⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        18⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        19⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        20⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        21⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        22⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        23⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        24⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f6986def88d46e71b55b9fc11c3febc2.exe"
        25⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...