5b660d658e17bb28ec76238132c288763aff7f2a5a27ef1d1413e92d6c0fd929

Analysis

max time kernel
89s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05808496c9bf9e8b1c0e4e6265144956.exe
Size

302KB
MD5

05808496c9bf9e8b1c0e4e6265144956
SHA1

f05fbe53340e1a50010ee103d01ff0fdc33e9994
SHA256

5b660d658e17bb28ec76238132c288763aff7f2a5a27ef1d1413e92d6c0fd929
SHA512

251f6cf607792f6b11c06957829c9481fa3034279e363fe284d28ccb4d41ac97e6147c462c93cd76e5d444549f79bcf66460b90576db1ea008ff764ed8f5bbbc
SSDEEP

6144:MVQO8uZUE4ejDglO3P8cm07QfWP1iObtkzgZ6Pa3i4MXU:lUjJIkP8uUcrHZ6e

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\S:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\T:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\H:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\I:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\J:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\L:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\O:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\V:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\W:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\Y:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\G:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\N:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\U:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\K:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\M:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\P:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\X:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\Z:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\E:	05808496c9bf9e8b1c0e4e6265144956.exe
File opened (read-only)	\??\R:	05808496c9bf9e8b1c0e4e6265144956.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	05808496c9bf9e8b1c0e4e6265144956.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.vir	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	05808496c9bf9e8b1c0e4e6265144956.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	05808496c9bf9e8b1c0e4e6265144956.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	05808496c9bf9e8b1c0e4e6265144956.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1620	05808496c9bf9e8b1c0e4e6265144956.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe
1620	05808496c9bf9e8b1c0e4e6265144956.exe

C:\Users\Admin\AppData\Local\Temp\05808496c9bf9e8b1c0e4e6265144956.exe
"C:\Users\Admin\AppData\Local\Temp\05808496c9bf9e8b1c0e4e6265144956.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
69KB

MD5
5e7c8e49d038330ef0e0070f14347cce

SHA1
7ad1111003e69e71b6e134000dc336c3ae87956b

SHA256
6417f8235c2419e576d0e8f673d14a59f8799d910854e263bb1767341917104f

SHA512
2dd66fe42af36e1e5201855bc286565afa34bc1625e39c12515e457b905707f20da46f287dfa1f224a41f4caef3575fa8b8fe5294f8bbb8c752e82a89954c225

Download Submit
C:\Windows\SysWOW64\msiexec.vir

Filesize
222KB

MD5
9e7f8f2ae99b61f3ad0a7b9c1f049da7

SHA1
f475cfd7e790211a016ccf3b4101e66124d1fdab

SHA256
ee22c0f3d18de669ad5b19c6befcb6b7aaac63667b85dae6a28bc5a8c2cd9073

SHA512
e505eabf29fdf3bcdb58cb179b664dba2394c562885a566fe8b9e0af89e825798c7a55c8aa8b63e54907f5aa0952cf03b5134779280a5982f4a7bfe7419bea2e

Download Submit
memory/1620-0-0x0000000001000000-0x000000000108E000-memory.dmp

Filesize
568KB

Download
memory/1620-1-0x0000000001000000-0x000000000108E000-memory.dmp

Filesize
568KB

Download
memory/1620-37-0x0000000001000000-0x000000000108E000-memory.dmp

Filesize
568KB

Download
memory/1620-38-0x0000000001000000-0x000000000108E000-memory.dmp

Filesize
568KB

Download