74363f391dd3c0950e22d250039c3b5f68277229cbcae9656b02dd4a815754db

Analysis

max time kernel
154s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/RunAsAdmin.exe
Size

1.6MB
MD5

0b53be7581d492020324fba0be82853e
SHA1

c5aad14b92983b9ebc6c407461132664cd9d8f5d
SHA256

43cd5d0c17842f854afb71b4691c3f04f158f143d89d8f184ac4d8754dc91da2
SHA512

d241f27475ce0deffdb2d62a515903cf8b923d683a521025eab7db87fddb5a457d8ee7d77d4b0aa765a3b05192e24aa4e9bd5bcebe37bfed76e8132dece4af59
SSDEEP

49152:ybibX2skhQ3i2YAMptZS6wtbwIkFkw5nJJvOEuTg1dj/MnR7oNah1J2:yqX2PhQ3LYTtZ6tbwFFkwZJJvOEu0A79

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2260	RunAsAdmin.exe
2260	RunAsAdmin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 456	2260	RunAsAdmin.exe	100
PID 2260 wrote to memory of 456	2260	RunAsAdmin.exe	100
PID 2260 wrote to memory of 456	2260	RunAsAdmin.exe	100
PID 2260 wrote to memory of 828	2260	RunAsAdmin.exe	102
PID 2260 wrote to memory of 828	2260	RunAsAdmin.exe	102
PID 2260 wrote to memory of 828	2260	RunAsAdmin.exe	102
PID 456 wrote to memory of 4488	456	CScript.exe	104
PID 456 wrote to memory of 4488	456	CScript.exe	104
PID 456 wrote to memory of 4488	456	CScript.exe	104
PID 828 wrote to memory of 4040	828	CScript.exe	105
PID 828 wrote to memory of 4040	828	CScript.exe	105
PID 828 wrote to memory of 4040	828	CScript.exe	105
PID 2260 wrote to memory of 4888	2260	RunAsAdmin.exe	109
PID 2260 wrote to memory of 4888	2260	RunAsAdmin.exe	109
PID 2260 wrote to memory of 4888	2260	RunAsAdmin.exe	109
PID 4888 wrote to memory of 2016	4888	CScript.exe	112
PID 4888 wrote to memory of 2016	4888	CScript.exe	112
PID 4888 wrote to memory of 2016	4888	CScript.exe	112
PID 2260 wrote to memory of 436	2260	RunAsAdmin.exe	114
PID 2260 wrote to memory of 436	2260	RunAsAdmin.exe	114
PID 2260 wrote to memory of 436	2260	RunAsAdmin.exe	114
PID 436 wrote to memory of 2384	436	CScript.exe	116
PID 436 wrote to memory of 2384	436	CScript.exe	116
PID 436 wrote to memory of 2384	436	CScript.exe	116
PID 2260 wrote to memory of 3268	2260	RunAsAdmin.exe	122
PID 2260 wrote to memory of 3268	2260	RunAsAdmin.exe	122
PID 2260 wrote to memory of 3268	2260	RunAsAdmin.exe	122
PID 3268 wrote to memory of 5020	3268	CScript.exe	124
PID 3268 wrote to memory of 5020	3268	CScript.exe	124
PID 3268 wrote to memory of 5020	3268	CScript.exe	124
PID 2260 wrote to memory of 1132	2260	RunAsAdmin.exe	130
PID 2260 wrote to memory of 1132	2260	RunAsAdmin.exe	130
PID 2260 wrote to memory of 1132	2260	RunAsAdmin.exe	130
PID 1132 wrote to memory of 4276	1132	CScript.exe	132
PID 1132 wrote to memory of 4276	1132	CScript.exe	132
PID 1132 wrote to memory of 4276	1132	CScript.exe	132
PID 2260 wrote to memory of 1968	2260	RunAsAdmin.exe	134
PID 2260 wrote to memory of 1968	2260	RunAsAdmin.exe	134
PID 2260 wrote to memory of 1968	2260	RunAsAdmin.exe	134
PID 1968 wrote to memory of 3644	1968	CScript.exe	136
PID 1968 wrote to memory of 3644	1968	CScript.exe	136
PID 1968 wrote to memory of 3644	1968	CScript.exe	136
PID 2260 wrote to memory of 4488	2260	RunAsAdmin.exe	139
PID 2260 wrote to memory of 4488	2260	RunAsAdmin.exe	139
PID 2260 wrote to memory of 4488	2260	RunAsAdmin.exe	139
PID 4488 wrote to memory of 1644	4488	CScript.exe	141
PID 4488 wrote to memory of 1644	4488	CScript.exe	141
PID 4488 wrote to memory of 1644	4488	CScript.exe	141
PID 2260 wrote to memory of 4416	2260	RunAsAdmin.exe	143
PID 2260 wrote to memory of 4416	2260	RunAsAdmin.exe	143
PID 2260 wrote to memory of 4416	2260	RunAsAdmin.exe	143
PID 4416 wrote to memory of 2728	4416	CScript.exe	145
PID 4416 wrote to memory of 2728	4416	CScript.exe	145
PID 4416 wrote to memory of 2728	4416	CScript.exe	145
PID 2260 wrote to memory of 2184	2260	RunAsAdmin.exe	147
PID 2260 wrote to memory of 2184	2260	RunAsAdmin.exe	147
PID 2260 wrote to memory of 2184	2260	RunAsAdmin.exe	147
PID 2184 wrote to memory of 1340	2184	CScript.exe	149
PID 2184 wrote to memory of 1340	2184	CScript.exe	149
PID 2184 wrote to memory of 1340	2184	CScript.exe	149
PID 2260 wrote to memory of 1524	2260	RunAsAdmin.exe	154
PID 2260 wrote to memory of 1524	2260	RunAsAdmin.exe	154
PID 2260 wrote to memory of 1524	2260	RunAsAdmin.exe	154
PID 1524 wrote to memory of 4968	1524	CScript.exe	156

C:\Users\Admin\AppData\Local\Temp\$TEMP\RunAsAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\RunAsAdmin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:4488
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:4040
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2016
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2384
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:5020
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:4276
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:3644
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:1644
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2728
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:1340
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:4968
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:412
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2904
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:2544
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:3680
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:4476
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:5004
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:4960
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:4548
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:4068
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:3968
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:4600
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:4480
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:3636
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:880
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:3508
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2680
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:2240
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2072
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:3724
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:1324
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:2400
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2584
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:2904
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:3968
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:4208
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:4856
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:3484
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2152
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:1828
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:1076
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:1708
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:4944
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:1932
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:1888
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:216
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:184
- C:\Windows\SysWOW64\CScript.exe
  CScript.exe C:\Users\Admin\AppData\Local\Temp\Temp.vbs
  2⤵
  - Checks computer location settings
  PID:2416
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe" /user:Administrator "C:\Users\Admin\AppData\Local\Temp\Assistant.exe"
    3⤵
    PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp.vbs

Filesize
182B

MD5
051f734751a1faecf357196db532fe50

SHA1
7ed0052fe35a11c6ebc629cd1421160c91f1489b

SHA256
9fc039664b41ec26ee9fbe38406b0b16a2c5c96dab3c7d87a16e3ed0b7e30592

SHA512
ad7c0578c2e23918c45206d5d4b25822c2017127f009e33628383571245291710b114940e53a6f1d0652f2f7f548f32f2c65e7b3528bdd732b421ca8196d95b0

Download Submit