741fc8882114d576c049e5a0e830282ae99b39df35cb5a090bf0e8f4b5ddb353

Analysis

max time kernel
65s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FRST64.exe
Size

2.3MB
MD5

42f626b952be10e6f0826631431fc2dd
SHA1

c0f1ba2f53ea222581be47b6a1ca3f2efe9e7507
SHA256

741fc8882114d576c049e5a0e830282ae99b39df35cb5a090bf0e8f4b5ddb353
SHA512

9571e11f179b928ea41c7c24512ae6536154dca42eb32d658ae55a0a49956b42933f23c0860f9f58cd1e57f08421becbd8d6107b9afd55da41b3c80e20a640df
SSDEEP

49152:o2EYTb8atv1orq+pEiSDTj1VyvBaj3jnE/ImdPFRgiYhFE94Ik0ZD5FJ9X+:tXbIrqtnDmdPFRTY73IRZD5FLX

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FRST64.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
2740	bcdedit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	FRST64.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile	FRST64.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	FRST64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2:Win32_ShadowCopy	FRST64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4000	FRST64.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	2740	bcdedit.exe
Token: SeRestorePrivilege	2740	bcdedit.exe
Token: SeRestorePrivilege	2740	bcdedit.exe
Token: SeRestorePrivilege	2740	bcdedit.exe
Token: SeBackupPrivilege	4652	vssvc.exe
Token: SeRestorePrivilege	4652	vssvc.exe
Token: SeAuditPrivilege	4652	vssvc.exe
Token: SeRestorePrivilege	4000	FRST64.exe
Token: SeBackupPrivilege	4000	FRST64.exe
Token: SeRestorePrivilege	3532	reg.exe
Token: SeRestorePrivilege	2016	reg.exe
Token: SeRestorePrivilege	2544	reg.exe
Token: SeRestorePrivilege	4260	reg.exe
Token: SeRestorePrivilege	3464	reg.exe
Token: SeRestorePrivilege	1404	reg.exe
Token: SeRestorePrivilege	1592	reg.exe
Token: SeRestorePrivilege	3128	reg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe
4000	FRST64.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 216	4000	FRST64.exe	85
PID 4000 wrote to memory of 216	4000	FRST64.exe	85
PID 4000 wrote to memory of 2688	4000	FRST64.exe	87
PID 4000 wrote to memory of 2688	4000	FRST64.exe	87
PID 2688 wrote to memory of 2740	2688	cmd.exe	89
PID 2688 wrote to memory of 2740	2688	cmd.exe	89
PID 4000 wrote to memory of 1896	4000	FRST64.exe	94
PID 4000 wrote to memory of 1896	4000	FRST64.exe	94
PID 1896 wrote to memory of 3532	1896	cmd.exe	96
PID 1896 wrote to memory of 3532	1896	cmd.exe	96
PID 4000 wrote to memory of 4644	4000	FRST64.exe	97
PID 4000 wrote to memory of 4644	4000	FRST64.exe	97
PID 4644 wrote to memory of 2016	4644	cmd.exe	99
PID 4644 wrote to memory of 2016	4644	cmd.exe	99
PID 4000 wrote to memory of 5036	4000	FRST64.exe	100
PID 4000 wrote to memory of 5036	4000	FRST64.exe	100
PID 5036 wrote to memory of 2544	5036	cmd.exe	102
PID 5036 wrote to memory of 2544	5036	cmd.exe	102
PID 4000 wrote to memory of 4004	4000	FRST64.exe	103
PID 4000 wrote to memory of 4004	4000	FRST64.exe	103
PID 4004 wrote to memory of 4260	4004	cmd.exe	105
PID 4004 wrote to memory of 4260	4004	cmd.exe	105
PID 4000 wrote to memory of 1200	4000	FRST64.exe	106
PID 4000 wrote to memory of 1200	4000	FRST64.exe	106
PID 1200 wrote to memory of 3464	1200	cmd.exe	108
PID 1200 wrote to memory of 3464	1200	cmd.exe	108
PID 4000 wrote to memory of 1748	4000	FRST64.exe	109
PID 4000 wrote to memory of 1748	4000	FRST64.exe	109
PID 1748 wrote to memory of 1404	1748	cmd.exe	111
PID 1748 wrote to memory of 1404	1748	cmd.exe	111
PID 4000 wrote to memory of 3536	4000	FRST64.exe	112
PID 4000 wrote to memory of 3536	4000	FRST64.exe	112
PID 3536 wrote to memory of 1592	3536	cmd.exe	114
PID 3536 wrote to memory of 1592	3536	cmd.exe	114
PID 4000 wrote to memory of 4896	4000	FRST64.exe	115
PID 4000 wrote to memory of 4896	4000	FRST64.exe	115
PID 4896 wrote to memory of 3128	4896	cmd.exe	117
PID 4896 wrote to memory of 3128	4896	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FRST64.exe
"C:\Users\Admin\AppData\Local\Temp\FRST64.exe"
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /u /c echo 2
  2⤵
  PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\bcdedit.exe
    C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
    3⤵
    - Modifies boot configuration data using bcdedit
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SOFTWARE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\reg.exe
    reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SOFTWARE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\system32\reg.exe
    reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SYSTEM
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SAM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\system32\reg.exe
    reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SAM
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\DEFAULT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\system32\reg.exe
    reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\DEFAULT
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SECURITY
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\reg.exe
    reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\SECURITY
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\COMPONENTS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\system32\reg.exe
    reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\COMPONENTS
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\NTUSER.DAT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\system32\reg.exe
    reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\NTUSER.DAT
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\UsrClass.dat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\reg.exe
    reg load hklm\e0Tk1Mv4Tb0E C:\FRST\u1Mk1Tn3At0\UsrClass.dat
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FRST\u1Mk1Tn3At0\NTUSER.DAT

Filesize
2.0MB

MD5
04aabf833b396be894992874fcd3f792

SHA1
3b07209b1ff5bfa57d1470e90f4b7b731c5eef44

SHA256
44dfa555a362250d940b5772ecf09194d3315757b7574c387822fd9c0fc8544b

SHA512
0d906c0396afeb11863cd22c7dca8532e2c6a1c4462e24862da51a5a1d6d84eae92fd146a336eb107ecbde9315ad5c59993695f8c2cfa4952f72701589d889d6

Download Submit
C:\FRST\u1Mk1Tn3At0\UsrClass.dat

Filesize
4.0MB

MD5
d7ac57df88bc9c42b6e5decaf213021d

SHA1
9e1431be1ea30107d8bf7097a9bbd1639fadf194

SHA256
d8c940a916764351b2ef18906bb680081ea002ddad2a3c635fe89df607081974

SHA512
0676175ac266487533e18b715ea812e8f93eaaca3b3e5840180a3fef66b36dc8cfd0ff47686d43e79d0bfcf8d1ad32054aae7390964e2147de519d4bef20e141

Download Submit