Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 22:22
Behavioral task
behavioral1
Sample
a77f9f8096b832ba68658b03c5410b22.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a77f9f8096b832ba68658b03c5410b22.exe
Resource
win10v2004-20240226-en
General
-
Target
a77f9f8096b832ba68658b03c5410b22.exe
-
Size
3.8MB
-
MD5
a77f9f8096b832ba68658b03c5410b22
-
SHA1
8b7465cefc92c07bff66d5df85321f3a97579110
-
SHA256
3684ae4716bf63da137d84df3b52dc186bd234087432fb19a4c62410a894a667
-
SHA512
abc5be37885881e862005518c6bfd924d10ea797bf1e0a6757acade539aafc5240c21902b5179730c446e017188561a26d226461cf138c008efd5c02aeb4a451
-
SSDEEP
98304:WxM5bQFedwc1W+V50StngH32LFw1T0ndB5bLeYlmv4L/BXfJMx3rKmf8h1vy:mMZaLkXtUxQdB5bLeYlEyBXfJMx7KmEe
Malware Config
Extracted
warzonerat
111.90.146.200:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 16 IoCs
resource yara_rule behavioral2/memory/4060-8-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4060-14-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4060-16-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4060-28-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4580-35-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4580-56-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/468-66-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/468-79-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/2180-94-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4580-132-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/2180-146-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/4360-173-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/1272-192-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/2836-211-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/2624-232-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/220-251-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Drops startup file 64 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat test.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start test.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs notepad.exe -
Executes dropped EXE 64 IoCs
pid Process 1480 test.exe 4060 test.exe 4752 test.exe 4668 images.exe 4580 images.exe 4672 images.exe 2712 test.exe 468 test.exe 3848 test.exe 4332 test.exe 2180 test.exe 4420 test.exe 3100 test.exe 4360 test.exe 2276 test.exe 4216 test.exe 1272 test.exe 2052 test.exe 1472 test.exe 2836 test.exe 2396 test.exe 2576 test.exe 2624 test.exe 428 test.exe 664 test.exe 220 test.exe 3952 test.exe 1308 test.exe 840 test.exe 2104 test.exe 464 test.exe 4072 test.exe 668 test.exe 1416 test.exe 1048 test.exe 2392 test.exe 4376 test.exe 4132 test.exe 4980 test.exe 4856 test.exe 5072 test.exe 2916 test.exe 904 test.exe 4116 test.exe 3712 test.exe 4676 test.exe 5088 test.exe 1864 test.exe 4136 test.exe 1988 test.exe 2576 test.exe 1072 test.exe 2508 test.exe 3956 test.exe 1100 test.exe 2660 test.exe 3092 test.exe 2692 test.exe 740 test.exe 4332 test.exe 1608 test.exe 4948 test.exe 1124 test.exe 4356 test.exe -
resource yara_rule behavioral2/memory/3672-0-0x0000000000400000-0x0000000000C00000-memory.dmp upx behavioral2/memory/3672-18-0x0000000000400000-0x0000000000C00000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" test.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1480 set thread context of 4060 1480 test.exe 88 PID 4668 set thread context of 4580 4668 images.exe 98 PID 2712 set thread context of 468 2712 test.exe 101 PID 4332 set thread context of 2180 4332 test.exe 107 PID 3100 set thread context of 4360 3100 test.exe 113 PID 4216 set thread context of 1272 4216 test.exe 116 PID 1472 set thread context of 2836 1472 test.exe 121 PID 2576 set thread context of 2624 2576 test.exe 125 PID 664 set thread context of 220 664 test.exe 129 PID 1308 set thread context of 840 1308 test.exe 133 PID 464 set thread context of 4072 464 test.exe 136 PID 1416 set thread context of 1048 1416 test.exe 141 PID 4376 set thread context of 4132 4376 test.exe 145 PID 4856 set thread context of 5072 4856 test.exe 149 PID 904 set thread context of 4116 904 test.exe 152 PID 4676 set thread context of 5088 4676 test.exe 157 PID 4136 set thread context of 1988 4136 test.exe 160 PID 1072 set thread context of 2508 1072 test.exe 164 PID 1100 set thread context of 2660 1100 test.exe 169 PID 2692 set thread context of 740 2692 test.exe 173 PID 1608 set thread context of 4948 1608 test.exe 177 PID 4356 set thread context of 2144 4356 test.exe 181 PID 640 set thread context of 5020 640 test.exe 185 PID 4200 set thread context of 3540 4200 test.exe 189 PID 4516 set thread context of 3644 4516 test.exe 192 PID 2920 set thread context of 1140 2920 test.exe 197 PID 4528 set thread context of 1116 4528 test.exe 202 PID 2248 set thread context of 1592 2248 test.exe 206 PID 4544 set thread context of 1812 4544 test.exe 210 PID 2904 set thread context of 2844 2904 test.exe 214 PID 1980 set thread context of 2432 1980 test.exe 217 PID 2016 set thread context of 4280 2016 test.exe 222 PID 1684 set thread context of 5052 1684 test.exe 225 PID 3552 set thread context of 3360 3552 test.exe 230 PID 2772 set thread context of 5060 2772 test.exe 233 PID 2416 set thread context of 1324 2416 test.exe 238 PID 1424 set thread context of 3624 1424 test.exe 241 PID 4232 set thread context of 4956 4232 test.exe 245 PID 3348 set thread context of 3956 3348 test.exe 250 PID 4432 set thread context of 1940 4432 test.exe 254 PID 944 set thread context of 4968 944 test.exe 258 PID 2232 set thread context of 1124 2232 test.exe 261 PID 3344 set thread context of 1180 3344 test.exe 265 PID 212 set thread context of 4264 212 test.exe 270 PID 2820 set thread context of 1564 2820 test.exe 274 PID 2772 set thread context of 3640 2772 test.exe 277 PID 5008 set thread context of 1312 5008 test.exe 282 PID 2404 set thread context of 4104 2404 test.exe 285 PID 1236 set thread context of 2384 1236 test.exe 290 PID 1100 set thread context of 1308 1100 test.exe 293 PID 3340 set thread context of 804 3340 test.exe 298 PID 1892 set thread context of 2956 1892 test.exe 302 PID 4452 set thread context of 4344 4452 test.exe 305 PID 3500 set thread context of 1640 3500 test.exe 310 PID 4928 set thread context of 1784 4928 test.exe 314 PID 1884 set thread context of 1408 1884 test.exe 318 PID 116 set thread context of 3684 116 test.exe 322 PID 5008 set thread context of 4300 5008 test.exe 325 PID 2532 set thread context of 2576 2532 test.exe 330 PID 1840 set thread context of 4640 1840 test.exe 334 PID 4544 set thread context of 664 4544 test.exe 338 PID 4808 set thread context of 2400 4808 test.exe 341 PID 1608 set thread context of 3492 1608 test.exe 345 PID 2232 set thread context of 3584 2232 test.exe 350 -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData:ApplicationData test.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1480 test.exe 1480 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4752 test.exe 4668 images.exe 4668 images.exe 4752 test.exe 4752 test.exe 2712 test.exe 2712 test.exe 4672 images.exe 4672 images.exe 4672 images.exe 4672 images.exe 4672 images.exe 4672 images.exe 4672 images.exe 4672 images.exe 3848 test.exe 3848 test.exe 3848 test.exe 3848 test.exe 4856 powershell.exe 3848 test.exe 3848 test.exe 4672 images.exe 4672 images.exe 4672 images.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 1480 test.exe 4668 images.exe 2712 test.exe 4332 test.exe 3100 test.exe 4216 test.exe 1472 test.exe 2576 test.exe 664 test.exe 1308 test.exe 464 test.exe 1416 test.exe 4376 test.exe 4856 test.exe 904 test.exe 4676 test.exe 4136 test.exe 1072 test.exe 1100 test.exe 2692 test.exe 1608 test.exe 4356 test.exe 640 test.exe 4200 test.exe 4516 test.exe 2920 test.exe 4528 test.exe 2248 test.exe 4544 test.exe 2904 test.exe 1980 test.exe 2016 test.exe 1684 test.exe 3552 test.exe 2772 test.exe 2416 test.exe 1424 test.exe 4232 test.exe 3348 test.exe 4432 test.exe 944 test.exe 2232 test.exe 3344 test.exe 212 test.exe 2820 test.exe 2772 test.exe 5008 test.exe 2404 test.exe 1236 test.exe 1100 test.exe 3340 test.exe 1892 test.exe 4452 test.exe 3500 test.exe 4928 test.exe 1884 test.exe 116 test.exe 5008 test.exe 2532 test.exe 1840 test.exe 4544 test.exe 4808 test.exe 1608 test.exe 2232 test.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 3444 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 116 3672 a77f9f8096b832ba68658b03c5410b22.exe 85 PID 3672 wrote to memory of 116 3672 a77f9f8096b832ba68658b03c5410b22.exe 85 PID 3672 wrote to memory of 116 3672 a77f9f8096b832ba68658b03c5410b22.exe 85 PID 116 wrote to memory of 1480 116 cmd.exe 86 PID 116 wrote to memory of 1480 116 cmd.exe 86 PID 116 wrote to memory of 1480 116 cmd.exe 86 PID 1480 wrote to memory of 4264 1480 test.exe 87 PID 1480 wrote to memory of 4264 1480 test.exe 87 PID 1480 wrote to memory of 4264 1480 test.exe 87 PID 1480 wrote to memory of 4264 1480 test.exe 87 PID 1480 wrote to memory of 4264 1480 test.exe 87 PID 1480 wrote to memory of 4060 1480 test.exe 88 PID 1480 wrote to memory of 4060 1480 test.exe 88 PID 1480 wrote to memory of 4060 1480 test.exe 88 PID 1480 wrote to memory of 4752 1480 test.exe 89 PID 1480 wrote to memory of 4752 1480 test.exe 89 PID 1480 wrote to memory of 4752 1480 test.exe 89 PID 4060 wrote to memory of 4856 4060 test.exe 94 PID 4060 wrote to memory of 4856 4060 test.exe 94 PID 4060 wrote to memory of 4856 4060 test.exe 94 PID 4060 wrote to memory of 4668 4060 test.exe 96 PID 4060 wrote to memory of 4668 4060 test.exe 96 PID 4060 wrote to memory of 4668 4060 test.exe 96 PID 4668 wrote to memory of 5088 4668 images.exe 97 PID 4668 wrote to memory of 5088 4668 images.exe 97 PID 4668 wrote to memory of 5088 4668 images.exe 97 PID 4668 wrote to memory of 5088 4668 images.exe 97 PID 4668 wrote to memory of 5088 4668 images.exe 97 PID 4668 wrote to memory of 4580 4668 images.exe 98 PID 4668 wrote to memory of 4580 4668 images.exe 98 PID 4668 wrote to memory of 4580 4668 images.exe 98 PID 4668 wrote to memory of 4672 4668 images.exe 99 PID 4668 wrote to memory of 4672 4668 images.exe 99 PID 4668 wrote to memory of 4672 4668 images.exe 99 PID 4752 wrote to memory of 2712 4752 test.exe 102 PID 4752 wrote to memory of 2712 4752 test.exe 102 PID 4752 wrote to memory of 2712 4752 test.exe 102 PID 2712 wrote to memory of 1420 2712 test.exe 100 PID 2712 wrote to memory of 1420 2712 test.exe 100 PID 2712 wrote to memory of 1420 2712 test.exe 100 PID 2712 wrote to memory of 1420 2712 test.exe 100 PID 2712 wrote to memory of 1420 2712 test.exe 100 PID 2712 wrote to memory of 468 2712 test.exe 101 PID 2712 wrote to memory of 468 2712 test.exe 101 PID 2712 wrote to memory of 468 2712 test.exe 101 PID 2712 wrote to memory of 3848 2712 test.exe 103 PID 2712 wrote to memory of 3848 2712 test.exe 103 PID 2712 wrote to memory of 3848 2712 test.exe 103 PID 3848 wrote to memory of 4332 3848 test.exe 105 PID 3848 wrote to memory of 4332 3848 test.exe 105 PID 3848 wrote to memory of 4332 3848 test.exe 105 PID 4332 wrote to memory of 4816 4332 test.exe 106 PID 4332 wrote to memory of 4816 4332 test.exe 106 PID 4332 wrote to memory of 4816 4332 test.exe 106 PID 4332 wrote to memory of 4816 4332 test.exe 106 PID 4332 wrote to memory of 4816 4332 test.exe 106 PID 4332 wrote to memory of 2180 4332 test.exe 107 PID 4332 wrote to memory of 2180 4332 test.exe 107 PID 4332 wrote to memory of 2180 4332 test.exe 107 PID 4332 wrote to memory of 4420 4332 test.exe 108 PID 4332 wrote to memory of 4420 4332 test.exe 108 PID 4332 wrote to memory of 4420 4332 test.exe 108 PID 4580 wrote to memory of 3444 4580 images.exe 109 PID 4580 wrote to memory of 3444 4580 images.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"4⤵PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"6⤵
- Drops startup file
PID:5088
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
-
C:\ProgramData\images.exe"C:\ProgramData\images.exe" 2 4580 2406039066⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4672
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4060 2406013284⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 468 2406044066⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"8⤵
- Drops startup file
PID:4816
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"8⤵
- Executes dropped EXE
PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2180 2406070318⤵
- Executes dropped EXE
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3100 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"10⤵
- Drops startup file
PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"10⤵
- Executes dropped EXE
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4360 24060998410⤵
- Executes dropped EXE
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"12⤵
- Executes dropped EXE
PID:1272
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"12⤵PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1272 24061159312⤵
- Executes dropped EXE
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1472 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"14⤵PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"14⤵
- Executes dropped EXE
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2836 24061303114⤵
- Executes dropped EXE
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2576 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"16⤵PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"16⤵
- Executes dropped EXE
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2624 24061445316⤵
- Executes dropped EXE
PID:428 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:664 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"18⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"18⤵
- Executes dropped EXE
PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 220 24061579618⤵
- Executes dropped EXE
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1308 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"20⤵PID:4564
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"20⤵
- Executes dropped EXE
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 840 24061720320⤵
- Executes dropped EXE
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:464 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"22⤵
- Executes dropped EXE
PID:4072
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"22⤵
- Drops startup file
PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4072 24061853122⤵
- Executes dropped EXE
PID:668 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1416 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"24⤵
- Drops startup file
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"24⤵
- Executes dropped EXE
PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1048 24061987524⤵
- Executes dropped EXE
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4376 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"26⤵PID:5052
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"26⤵
- Executes dropped EXE
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4132 24062128126⤵
- Executes dropped EXE
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4856 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"28⤵
- Drops startup file
PID:3760
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"28⤵
- Executes dropped EXE
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5072 24062267128⤵
- Executes dropped EXE
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:904 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"30⤵
- Executes dropped EXE
PID:4116
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"30⤵PID:1556
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4116 24062407830⤵
- Executes dropped EXE
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4676 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"32⤵PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"32⤵
- Executes dropped EXE
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5088 24062537532⤵
- Executes dropped EXE
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"34⤵
- Executes dropped EXE
PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1988 24062660934⤵
- Executes dropped EXE
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"36⤵
- Executes dropped EXE
PID:2508
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"36⤵PID:3400
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2508 24062790636⤵
- Executes dropped EXE
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1100 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"38⤵PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"38⤵
- Executes dropped EXE
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2660 24062906238⤵
- Executes dropped EXE
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2692 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"40⤵PID:3340
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"40⤵
- Executes dropped EXE
PID:740
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 740 24063031240⤵
- Executes dropped EXE
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1608 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"42⤵PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"42⤵
- Executes dropped EXE
PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4948 24063156242⤵
- Executes dropped EXE
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4356 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"44⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"44⤵PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2144 24063268744⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:640 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"46⤵
- Drops startup file
PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"46⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5020 24063392146⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4200 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"48⤵
- Drops startup file
PID:3304
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"48⤵PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3540 24063514048⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"50⤵PID:3644
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"50⤵
- Drops startup file
PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3644 24063631250⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2920 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"52⤵PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"52⤵PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1140 24063746852⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"53⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4528 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"54⤵
- Drops startup file
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"54⤵PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1116 24063867154⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"55⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2248 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"56⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"56⤵PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1592 24063987556⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"57⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4544 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"58⤵
- Drops startup file
PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"58⤵PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1812 24064101558⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"59⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2904 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"60⤵
- Drops startup file
PID:944
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"60⤵PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2844 24064226560⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"61⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"62⤵PID:2432
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"62⤵PID:464
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2432 24064353162⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"63⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2016 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"64⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"64⤵PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4280 24064481264⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"65⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"66⤵PID:5052
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"66⤵
- Drops startup file
PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5052 24064600066⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"67⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3552 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"68⤵PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"68⤵PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3360 24064715668⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"70⤵PID:5060
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"70⤵PID:3912
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5060 24064835970⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2416 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"72⤵
- Drops startup file
PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"72⤵PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1324 24064962572⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"73⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"74⤵PID:3624
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"74⤵PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3624 24065082874⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"76⤵PID:4956
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"76⤵PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4956 24065214076⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3956 24065328178⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4432 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"80⤵
- Drops startup file
PID:5108
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"80⤵PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1940 24065456280⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:944 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"82⤵
- Drops startup file
PID:3588
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"82⤵PID:4968
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4968 24065573482⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"84⤵PID:1124
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"84⤵
- Drops startup file
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1124 24065700084⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"86⤵PID:1180
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"86⤵PID:3692
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1180 24065818786⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:212 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"88⤵
- Drops startup file
PID:4144
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"88⤵PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4264 24065940688⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2820 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"90⤵
- Drops startup file
PID:3612
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"90⤵PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1564 24066065690⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"91⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"92⤵PID:3640
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"92⤵
- Drops startup file
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3640 24066178192⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"93⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5008 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"94⤵PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"94⤵PID:1312
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1312 24066292194⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"95⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"96⤵PID:4104
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"96⤵PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4104 24066406296⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1236 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"98⤵
- Drops startup file
PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"98⤵PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2384 24066535998⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"100⤵PID:1308
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"100⤵
- Drops startup file
PID:60
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1308 240666546100⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"101⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3340 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"102⤵
- Drops startup file
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"102⤵PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 804 240667687102⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"103⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1892 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"104⤵PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"104⤵PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2956 240668828104⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"105⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"106⤵PID:4344
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"106⤵PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4344 240670046106⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"107⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3500 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"108⤵PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"108⤵PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1640 240671359108⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"109⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4928 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"110⤵PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"110⤵PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1784 240672640110⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"111⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1884 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"112⤵
- Drops startup file
PID:3612
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"112⤵PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1408 240673796112⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"113⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:116 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"114⤵PID:1852
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"114⤵PID:3684
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3684 240674953114⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"115⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"116⤵PID:4300
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"116⤵
- Drops startup file
PID:2396
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4300 240676125116⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"117⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2532 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"118⤵PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"118⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2576 240677250118⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"119⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1840 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"120⤵
- Drops startup file
PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"120⤵PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4640 240678406120⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"121⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4544 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"122⤵
- Drops startup file
PID:1348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-