8aea737cd72c75948220d629b4bcbb3a230df7f76e0d5faca2e7ee014e43260d

Analysis

max time kernel
69s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d30329bea26a94c7533e6a15fd68f67.exe
Size

190KB
MD5

1d30329bea26a94c7533e6a15fd68f67
SHA1

72545848045ce62f372772e8f300c434617cc4f1
SHA256

8aea737cd72c75948220d629b4bcbb3a230df7f76e0d5faca2e7ee014e43260d
SHA512

b404290c5c8387477af7f19faeaa9df465b34e6fa367454a949e2aa89a028bd3085c5367e2058ca5e57f36161d53c13859fccac5e748addd2e23b3e66a0da622
SSDEEP

3072:r/na6WDmrZ5Cn79xvlr2xmOJ5wUuWXcfb0hw7IACb873684yVcx566/zn8VT8I2Z:r/nuDm9knmhJ4/sMLuO6/zuij9

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1d30329bea26a94c7533e6a15fd68f67.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1d30329bea26a94c7533e6a15fd68f67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\method = "ShellExecute"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\Param1 = "http://%77%77%77%2e%37%34%30%30%2e%6e%65%74"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\shellex\MayChangeDefaultMenu	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\InProcServer32\ThreadingModel = "Apartment"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\shellex\MayChangeDefaultMenu	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\shellex\MayChangeDefaultMenu\	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\shellex\MayChangeDefaultMenu\	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\shellex\MayChangeDefaultMenu\	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\shellex\MayChangeDefaultMenu	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\shellex\MayChangeDefaultMenu\	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\InProcServer32	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\InProcServer32	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\InProcServer32\ThreadingModel = "Apartment"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	1d30329bea26a94c7533e6a15fd68f67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63218229-6240-5437-6321-624072098731}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe	1d30329bea26a94c7533e6a15fd68f67.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	1d30329bea26a94c7533e6a15fd68f67.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 3812	4232	1d30329bea26a94c7533e6a15fd68f67.exe	94
PID 4232 wrote to memory of 3812	4232	1d30329bea26a94c7533e6a15fd68f67.exe	94
PID 4232 wrote to memory of 3812	4232	1d30329bea26a94c7533e6a15fd68f67.exe	94
PID 3812 wrote to memory of 4512	3812	1d30329bea26a94c7533e6a15fd68f67.exe	101
PID 3812 wrote to memory of 4512	3812	1d30329bea26a94c7533e6a15fd68f67.exe	101
PID 3812 wrote to memory of 4512	3812	1d30329bea26a94c7533e6a15fd68f67.exe	101
PID 4512 wrote to memory of 2020	4512	1d30329bea26a94c7533e6a15fd68f67.exe	104
PID 4512 wrote to memory of 2020	4512	1d30329bea26a94c7533e6a15fd68f67.exe	104
PID 4512 wrote to memory of 2020	4512	1d30329bea26a94c7533e6a15fd68f67.exe	104
PID 2020 wrote to memory of 1416	2020	1d30329bea26a94c7533e6a15fd68f67.exe	105
PID 2020 wrote to memory of 1416	2020	1d30329bea26a94c7533e6a15fd68f67.exe	105
PID 2020 wrote to memory of 1416	2020	1d30329bea26a94c7533e6a15fd68f67.exe	105
PID 1416 wrote to memory of 5064	1416	1d30329bea26a94c7533e6a15fd68f67.exe	111
PID 1416 wrote to memory of 5064	1416	1d30329bea26a94c7533e6a15fd68f67.exe	111
PID 1416 wrote to memory of 5064	1416	1d30329bea26a94c7533e6a15fd68f67.exe	111
PID 5064 wrote to memory of 3652	5064	1d30329bea26a94c7533e6a15fd68f67.exe	113
PID 5064 wrote to memory of 3652	5064	1d30329bea26a94c7533e6a15fd68f67.exe	113
PID 5064 wrote to memory of 3652	5064	1d30329bea26a94c7533e6a15fd68f67.exe	113
PID 3652 wrote to memory of 4552	3652	1d30329bea26a94c7533e6a15fd68f67.exe	115
PID 3652 wrote to memory of 4552	3652	1d30329bea26a94c7533e6a15fd68f67.exe	115
PID 3652 wrote to memory of 4552	3652	1d30329bea26a94c7533e6a15fd68f67.exe	115
PID 4552 wrote to memory of 4692	4552	1d30329bea26a94c7533e6a15fd68f67.exe	117
PID 4552 wrote to memory of 4692	4552	1d30329bea26a94c7533e6a15fd68f67.exe	117
PID 4552 wrote to memory of 4692	4552	1d30329bea26a94c7533e6a15fd68f67.exe	117
PID 4692 wrote to memory of 4924	4692	1d30329bea26a94c7533e6a15fd68f67.exe	119
PID 4692 wrote to memory of 4924	4692	1d30329bea26a94c7533e6a15fd68f67.exe	119
PID 4692 wrote to memory of 4924	4692	1d30329bea26a94c7533e6a15fd68f67.exe	119
PID 4924 wrote to memory of 4064	4924	1d30329bea26a94c7533e6a15fd68f67.exe	122
PID 4924 wrote to memory of 4064	4924	1d30329bea26a94c7533e6a15fd68f67.exe	122
PID 4924 wrote to memory of 4064	4924	1d30329bea26a94c7533e6a15fd68f67.exe	122
PID 4064 wrote to memory of 4780	4064	1d30329bea26a94c7533e6a15fd68f67.exe	124
PID 4064 wrote to memory of 4780	4064	1d30329bea26a94c7533e6a15fd68f67.exe	124
PID 4064 wrote to memory of 4780	4064	1d30329bea26a94c7533e6a15fd68f67.exe	124

C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
"C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
  "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
    "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
      "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
      4⤵
      Drops file in Drivers directory
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        5⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        6⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        7⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        8⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        9⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        10⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        11⤵
        Drops file in Drivers directory
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        12⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        13⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        14⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        15⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        16⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        17⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        18⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        19⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d30329bea26a94c7533e6a15fd68f67.exe"
        20⤵
        
        PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\k.exe

Filesize
542B

MD5
2c650faa042765b7087461041554f4c2

SHA1
253a5503092295e66c2cdc56ec79dce4ff687686

SHA256
bddf1032bf1b8be326adfb6ec42c89f4d4ccfc903a8b4c125df977e16a560ea0

SHA512
d1705ddd9539c45a41fd434ae113c13ed743df927f82ac048db38a8efd7230e3591810d84dedc7a939bf59d5d87c22f04ee0efda8842ad3496f22789893ecad5

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
110B

MD5
0c0d0e7d1ff282741e93063e8217a5de

SHA1
a9c22f8512353135adc61741c5023efc12031902

SHA256
a16d3daaea2a1840394c5a008b7c02a32ea8bdbba5d494882f1d4fb5db1aba9c

SHA512
373ff5d053def330dfd86b9620fd738e315ce87991d652145fd5dd69374bf3e65a7831c362905a4c66f35d62477b7f325b8a5ea593d76a86e09db7700c1e506e

Download Submit
C:\Users\Admin\Desktop\°Ù¶ÈËÑË÷.url

Filesize
172B

MD5
22b614a4ee841c2e05923729a6ffdada

SHA1
c34f2381057f52b71e674ce64a82bd676e9d6960

SHA256
a58fd8e4d1c42e5df1784933b00c37227ae12e3a1f20ba01067178f4fbc7b11c

SHA512
86ed892aaea7f3759b9a73b0902e229ccaac754b45356ed1f710cc254d4c78dcc5468bc847a98f4079715e86a5dc709001765261bc897f80fac7a96dc687d444

Download Submit
C:\Users\Admin\Desktop\ÌÔ±¦Íø.url

Filesize
173B

MD5
059f6443035003a725962466c7d7a13c

SHA1
032bb625248c19eaca850c14840b6141415ecbda

SHA256
56b428cb43ddeaafbc2fafbd502f91a182aed00bda2714fcb07bdff24d7a371d

SHA512
ac22f2283abeb33716ff80afdff47a9a7244142953aa41a8cf86dffd2d53017c1c11cb9d607c5e79d0f84ff5e2819fdc774784a005dd1fe1141f49a2104ea824

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
1c02de6fb74121aae4a7963d1da56629

SHA1
79669aba35056ff100dea8b7a3cf16a66f11ca9b

SHA256
04aee5637a664256a4744b8144b14136356f7f5ab349acad127ffd4458ba0258

SHA512
600f02e1a996ebedd2bb4af8377c8ab2600c87cf26cf1122d3156ec37a1c0a06b707128cb2a46370dcbe265d5fa917d0af8a0d08945c4e3516a0fe0fe351e6d0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
d36ffc06b85061d59b754ae1916e8161

SHA1
cf6e426d5ae08cad23a1e188ec9ffb4695604337

SHA256
b0c6a7725ae033bea5db66d5cb7acc69394848accbbee20f03ec16ac985dceb2

SHA512
9406e9e797d175f158bbd511f8670aeeb6951909b0963526f71b1ad5d8d0ba9e5998dcc95821a80490ee359b7f3fbfbf5c02f05702009281f5fc6f8027e95b5c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
5KB

MD5
c6f3791fcb6c9eaa124a4b1103efd9ad

SHA1
76d3302deae23abdc390170b0e98f12f5b96a691

SHA256
d2fabf7e8f870bda4557340c2670f710c17b5cf2611c043dc040eb6086a34e7d

SHA512
2849240e92e172fdc182cfbe31e46bf4900df3e1e87282dc4f07da73e806f8ddbddb635c4bfa4338d3dc26896532af1d619dd68e1bfda72169760dc9f88d900c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
6KB

MD5
de3ef479a53cd2c8997323686bc01c46

SHA1
832176d47421800102f30053647b978ad674ed06

SHA256
beb1da46d6dbc2a836fc24edfdf5a2fb843b0be85842260d84f279fd3f3f5e80

SHA512
91d78abf1929bf0b3a099940c9d17c9dbb588dd1aaadc7aa8e9ef443e0fb65249aef6821f921dabe6fc8324d19b06e0b759f402d4deac632a65729ad88ffc1c1

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
ae16116e642f43f0b545d7e2deec0110

SHA1
b063bcf11cee30894d641cad9a1fea6a52f5e3fc

SHA256
ecc022c3540a0cf4d7023b7f97f52228d6325ea9a8082ba1e1a2dc4b033f3a84

SHA512
c95b04fcceb2e15dcc326ed40d1595c1e9ba33ed3759bbabf14f72fddf52bdbddb396ba4adf39c308a7132e416de305fbe2a486624f750319dcb0e897202dfd2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
51bc574d1afd6f7000fb3bb034bc9318

SHA1
4a077056a052fde0a2c2f52110da3b5bd6c5e474

SHA256
911bd6ab5ddf882411c5580c59833356c6aab2e83272899a3cf945ba3441f8c8

SHA512
6876159829a1d8759219406eb4941c728942dc2e02bfa139ae89b2c4f7087d23f0b2bac0b112ab28b6da913fd83cf8916f3574ca362f2aec3926d0f98fc771de

Download Submit
memory/744-798-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1416-242-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1416-163-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2020-194-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2020-115-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2780-751-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2792-563-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2792-643-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3652-261-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3652-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3812-19-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/3812-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3812-637-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-840-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4052-690-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-547-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-468-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4232-3-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4232-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4232-548-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-67-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4512-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-640-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4552-311-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4552-397-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-354-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4692-451-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4780-596-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4780-515-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4852-912-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4860-648-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/4924-501-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4924-416-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/5064-211-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/5064-294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download