8eb6ffc6393b1faff3dc6259fc69a41bb99aa25efda36a44246bfd67ba5fac88

Analysis

max time kernel
154s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a45c7fb595b0bad6073bb16d49d0bad.exe
Size

220KB
MD5

3a45c7fb595b0bad6073bb16d49d0bad
SHA1

a6daf691537fe25b2d1402b3732bc9ed7f55ab99
SHA256

8eb6ffc6393b1faff3dc6259fc69a41bb99aa25efda36a44246bfd67ba5fac88
SHA512

eafb0a423db4b24d76c162d5acef2c5fb3b68149d1482873830d7d4e65413fd79c2899297ec1b8741ec823b29c41186be8371a8105089e1c02e28d2eeab217f0
SSDEEP

3072:qqWeoCIlcOyFKWzHpP5VZYwE4BHMvF3zrxFRpKB1B4Ktny6FNFv5qGtTBkNHLssJ:SRgP4WzHVZdIFvxFH2BTnFNFvN+HIsQ+

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1832-20-0x0000000020010000-0x0000000020088000-memory.dmp	upx
behavioral2/memory/1832-21-0x0000000020010000-0x0000000020088000-memory.dmp	upx
behavioral2/memory/1832-28-0x0000000020010000-0x0000000020088000-memory.dmp	upx
behavioral2/memory/1832-35-0x0000000020010000-0x0000000020088000-memory.dmp	upx
behavioral2/memory/1832-37-0x0000000020010000-0x0000000020088000-memory.dmp	upx

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssysfs = "C:\\Windows\\system32\\3a45c7fb595b0bad6073bb16d49d0bad.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\3a45c7fb595b0bad6073bb16d49d0bad.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\3a45c7fb595b0bad6073bb16d49d0bad.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\3a45c7fb595b0bad6073bb16d49d0bad.exe	attrib.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1832	svchost.exe
1832	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe
Token: SeDebugPrivilege	1832	svchost.exe
Token: SeTakeOwnershipPrivilege	1832	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 2804 wrote to memory of 1832	2804	3a45c7fb595b0bad6073bb16d49d0bad.exe	86
PID 1832 wrote to memory of 3740	1832	svchost.exe	93
PID 1832 wrote to memory of 3740	1832	svchost.exe	93
PID 1832 wrote to memory of 3740	1832	svchost.exe	93
PID 3740 wrote to memory of 1748	3740	cmd.exe	97
PID 3740 wrote to memory of 1748	3740	cmd.exe	97
PID 3740 wrote to memory of 1748	3740	cmd.exe	97
PID 1832 wrote to memory of 4480	1832	svchost.exe	100
PID 1832 wrote to memory of 4480	1832	svchost.exe	100
PID 1832 wrote to memory of 4480	1832	svchost.exe	100
PID 1832 wrote to memory of 2768	1832	svchost.exe	102
PID 1832 wrote to memory of 2768	1832	svchost.exe	102
PID 1832 wrote to memory of 2768	1832	svchost.exe	102
PID 2768 wrote to memory of 4160	2768	cmd.exe	104
PID 2768 wrote to memory of 4160	2768	cmd.exe	104
PID 2768 wrote to memory of 4160	2768	cmd.exe	104
PID 1832 wrote to memory of 4276	1832	svchost.exe	106
PID 1832 wrote to memory of 4276	1832	svchost.exe	106
PID 1832 wrote to memory of 4276	1832	svchost.exe	106
PID 1832 wrote to memory of 2384	1832	svchost.exe	108
PID 1832 wrote to memory of 2384	1832	svchost.exe	108
PID 1832 wrote to memory of 2384	1832	svchost.exe	108
PID 1832 wrote to memory of 2744	1832	svchost.exe	112
PID 1832 wrote to memory of 2744	1832	svchost.exe	112
PID 1832 wrote to memory of 2744	1832	svchost.exe	112
PID 1832 wrote to memory of 4388	1832	svchost.exe	116
PID 1832 wrote to memory of 4388	1832	svchost.exe	116
PID 1832 wrote to memory of 4388	1832	svchost.exe	116

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1748	attrib.exe
4160	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3a45c7fb595b0bad6073bb16d49d0bad.exe
"C:\Users\Admin\AppData\Local\Temp\3a45c7fb595b0bad6073bb16d49d0bad.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib -h "C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h "C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe"
      4⤵
      Views/modifies file attributes
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c copy /Y "C:\Users\Admin\AppData\Local\Temp\3a45c7fb595b0bad6073bb16d49d0bad.exe" "C:\Windows\system32\"
    3⤵
    - Drops file in System32 directory
    PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib +h "C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:4160
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4276
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4020
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:3108
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2404
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4404
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:3788
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:3876
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4580
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4180
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2780
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:224
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:740
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:992
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:680
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4196
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4604
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:3740
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:4676
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2368
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:5032
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /f /v mssysfs /d C:\Windows\system32\3a45c7fb595b0bad6073bb16d49d0bad.exe
    3⤵
    - Adds Run key to start application
    PID:2516

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20231226-1916.dmp
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a45c7fb595b0bad6073bb16d49d0bad.exe

Filesize
220KB

MD5
b30343434005e33b83e4cc786323aff8

SHA1
fc1fa0cec2f551e7c0ba0dd71a58fdae6f0f33f6

SHA256
3324a01fee0cd8fc9c331cd162612a5da406c95198dae1af4ce5e2149f513c15

SHA512
6ac841ed90e14809007c1bf8f6fed653cc93152a878cc65a7740efa59d1e6966c34e7c0b0684f4e95086dd06d41c7306c0d26ee69409e10034e8ba1b5d5b60c6

Download Submit
memory/1832-3-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/1832-20-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/1832-21-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/1832-19-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/1832-28-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/1832-35-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/1832-37-0x0000000020010000-0x0000000020088000-memory.dmp

Filesize
480KB

Download
memory/2804-0-0x0000000013140000-0x000000001314E000-memory.dmp

Filesize
56KB

Download