metasploit | ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe
Size

2.6MB
MD5

2ca30af5c55fea6eb038cbb655a1676c
SHA1

a701d9464df02d1467b2a72557160c7b548206d5
SHA256

ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da
SHA512

fd7f6ae26c87724cff8eda2ae1d655fc0ab433a003989d187215bf7e48ebc5343c30a8accd2aa5ed98df0141a1502eb84ce5c04a9df223970fe4297168ee3e1c
SSDEEP

12288:LJKxMQJjOyjk0OpGiGkHnYoLXFgHAVXqlxcXqkQ9Y7otV94QHN72u16MoCWaGTvH:sMCFdeLy4QHZH1jFWhXwM

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe

Executes dropped EXE 23 IoCs

pid	Process
1460	buftemp1.exe
1972	buftemp2.exe
1168	buftemp1.exe
1404	Winextension.exe
3440	Winextension.exe
3004	Winextension.exe
4288	Winextension.exe
5028	Winextension.exe
2584	Winextension.exe
2596	Winextension.exe
3124	Winextension.exe
2344	Winextension.exe
1460	Winextension.exe
2824	Winextension.exe
2164	Winextension.exe
880	Winextension.exe
720	Winextension.exe
1260	Winextension.exe
2244	Winextension.exe
3872	Winextension.exe
4548	Winextension.exe
2200	Winextension.exe
4476	Winextension.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	buftemp1.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	buftemp1.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File created	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe
File opened for modification	C:\Windows\SysWOW64\Winextension.exe	Winextension.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 1168	1460	buftemp1.exe	86
PID 1404 set thread context of 3440	1404	Winextension.exe	90
PID 3004 set thread context of 4288	3004	Winextension.exe	94
PID 5028 set thread context of 2584	5028	Winextension.exe	100
PID 2596 set thread context of 3124	2596	Winextension.exe	105
PID 2344 set thread context of 1460	2344	Winextension.exe	109
PID 2824 set thread context of 2164	2824	Winextension.exe	113
PID 880 set thread context of 720	880	Winextension.exe	117
PID 1260 set thread context of 2244	1260	Winextension.exe	121
PID 3872 set thread context of 4548	3872	Winextension.exe	125
PID 2200 set thread context of 4476	2200	Winextension.exe	129

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\buftemp1.exe	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe
File opened for modification	C:\Windows\buftemp2.exe	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe
File opened for modification	C:\Windows\buftemp3.exe	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe
File opened for modification	C:\Windows\buftemp1.exe	buftemp1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 11 IoCs

pid	Process
2296	regedit.exe
328	regedit.exe
2944	regedit.exe
380	regedit.exe
2280	regedit.exe
2636	regedit.exe
4700	regedit.exe
2824	regedit.exe
2836	regedit.exe
3148	regedit.exe
2632	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	buftemp1.exe
1168	buftemp1.exe
1168	buftemp1.exe
1168	buftemp1.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe
3440	Winextension.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
380	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe
1972	buftemp2.exe
1460	buftemp1.exe
1404	Winextension.exe
3004	Winextension.exe
5028	Winextension.exe
2596	Winextension.exe
2344	Winextension.exe
2824	Winextension.exe
880	Winextension.exe
1260	Winextension.exe
3872	Winextension.exe
2200	Winextension.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 1460	380	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe	84
PID 380 wrote to memory of 1460	380	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe	84
PID 380 wrote to memory of 1460	380	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe	84
PID 380 wrote to memory of 1972	380	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe	85
PID 380 wrote to memory of 1972	380	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe	85
PID 380 wrote to memory of 1972	380	ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe	85
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1460 wrote to memory of 1168	1460	buftemp1.exe	86
PID 1168 wrote to memory of 4916	1168	buftemp1.exe	87
PID 1168 wrote to memory of 4916	1168	buftemp1.exe	87
PID 1168 wrote to memory of 4916	1168	buftemp1.exe	87
PID 4916 wrote to memory of 2280	4916	cmd.exe	88
PID 4916 wrote to memory of 2280	4916	cmd.exe	88
PID 4916 wrote to memory of 2280	4916	cmd.exe	88
PID 1168 wrote to memory of 1404	1168	buftemp1.exe	89
PID 1168 wrote to memory of 1404	1168	buftemp1.exe	89
PID 1168 wrote to memory of 1404	1168	buftemp1.exe	89
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 1404 wrote to memory of 3440	1404	Winextension.exe	90
PID 3440 wrote to memory of 3120	3440	Winextension.exe	91
PID 3440 wrote to memory of 3120	3440	Winextension.exe	91
PID 3440 wrote to memory of 3120	3440	Winextension.exe	91
PID 3120 wrote to memory of 2636	3120	cmd.exe	92
PID 3120 wrote to memory of 2636	3120	cmd.exe	92
PID 3120 wrote to memory of 2636	3120	cmd.exe	92
PID 3440 wrote to memory of 3004	3440	Winextension.exe	93
PID 3440 wrote to memory of 3004	3440	Winextension.exe	93
PID 3440 wrote to memory of 3004	3440	Winextension.exe	93
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 3004 wrote to memory of 4288	3004	Winextension.exe	94
PID 4288 wrote to memory of 2760	4288	Winextension.exe	95
PID 4288 wrote to memory of 2760	4288	Winextension.exe	95
PID 4288 wrote to memory of 2760	4288	Winextension.exe	95
PID 2760 wrote to memory of 2836	2760	cmd.exe	96
PID 2760 wrote to memory of 2836	2760	cmd.exe	96
PID 2760 wrote to memory of 2836	2760	cmd.exe	96
PID 4288 wrote to memory of 5028	4288	Winextension.exe	99
PID 4288 wrote to memory of 5028	4288	Winextension.exe	99
PID 4288 wrote to memory of 5028	4288	Winextension.exe	99
PID 5028 wrote to memory of 2584	5028	Winextension.exe	100

C:\Users\Admin\AppData\Local\Temp\ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe
"C:\Users\Admin\AppData\Local\Temp\ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\buftemp1.exe
  "C:\Windows\buftemp1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\buftemp1.exe
    C:\Windows\buftemp1.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2280
  - - C:\Windows\SysWOW64\Winextension.exe
      C:\Windows\system32\Winextension.exe 1040 "C:\Windows\buftemp1.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2636
      - C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1732 "C:\Windows\SysWOW64\Winextension.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2836
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1704 "C:\Windows\SysWOW64\Winextension.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        10⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:4700
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1704 "C:\Windows\SysWOW64\Winextension.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        12⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3148
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1704 "C:\Windows\SysWOW64\Winextension.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        14⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        15⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2632
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1704 "C:\Windows\SysWOW64\Winextension.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        16⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        17⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2296
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1704 "C:\Windows\SysWOW64\Winextension.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        18⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        19⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:328
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1700 "C:\Windows\SysWOW64\Winextension.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        20⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        21⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2824
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1696 "C:\Windows\SysWOW64\Winextension.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        22⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        23⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2944
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\system32\Winextension.exe 1696 "C:\Windows\SysWOW64\Winextension.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\Winextension.exe
        
        C:\Windows\SysWOW64\Winextension.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        24⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        25⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:380
- C:\Windows\buftemp2.exe
  "C:\Windows\buftemp2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
f1cbbc2ce0d93c45a92edcc86780e9f0

SHA1
d893306caae2584cdeba4c80c3bfe18548fa227a

SHA256
6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7

SHA512
b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
82fb85e6f9058c36d57abc2350ffee7e

SHA1
f52708d066380d42924513f697ab4ed5492f78b8

SHA256
0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

SHA512
27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a437192517c26d96c8cee8d5a27dd560

SHA1
f665a3e5e5c141e4527509dffd30b0320aa8df6f

SHA256
d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23

SHA512
f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
e78a2688839aaee80b2bfdc4639329c5

SHA1
818a0dd05493b075a9f2eaf063e64d5a653f470a

SHA256
bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d

SHA512
2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5b77620cb52220f4a82e3551ee0a53a6

SHA1
07d122b8e70ec5887bad4ef8f4d6209df18912d0

SHA256
93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579

SHA512
9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
614dc91c25423b19711b270e1e5a49ad

SHA1
f66496dcf9047ae934bdc4a65f697be55980b169

SHA256
cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e

SHA512
27a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3637baf389a0d79b412adb2a7f1b7d09

SHA1
f4b011a72f59cf98a325f12b7e40ddd0548ccc16

SHA256
835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba

SHA512
ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5002319f56002f8d7ceacecf8672ce25

SHA1
3b26b6801be4768cc7582e29bc93facdf2a74be3

SHA256
f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

SHA512
8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c2d6056624c1d37b1baf4445d8705378

SHA1
90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

SHA256
3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

SHA512
d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d5e129352c8dd0032b51f34a2bbecad3

SHA1
a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

SHA256
ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

SHA512
9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c1e5f93e2bee9ca33872764d8889de23

SHA1
167f65adfc34a0e47cb7de92cc5958ee8905796a

SHA256
8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

SHA512
482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f8a9a1aa9bab7821d25ae628e6d04f68

SHA1
c3e7a9ccc9805ae94aabfd16e2cb461fde3fae5a

SHA256
76ee7c489d11427af94d0334368ef2ed44df4a74984ffd4022c9ea9fae9c41fb

SHA512
0fb3a29367fa3c3eb36c6a7e9ff217ccdd7cce18309964aa7068a00f500ea4ea49588344ebbc52ae77d83e5042c3fdb84f56fa1dae07b8bb774aed6fffd18c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5575ef034e791d4d3b09da6c0c4ee764

SHA1
50a0851ddf4b0c4014ad91f976e953baffe30951

SHA256
9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14

SHA512
ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f82bc8865c1f6bf7125563479421f95c

SHA1
65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

SHA256
f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

SHA512
00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Windows\buftemp1.exe

Filesize
1.8MB

MD5
6170bb1a8eb70f2c2f9a1473c004d6af

SHA1
b329b644d02c4a350a3ce600b91cf568e33631d7

SHA256
8cb592d6617e6065f53413f4e2270b2be619083c2365d0b73467550cb23a4421

SHA512
9193130c53adda78c144687308c9e08ef6cd8933c940d96591212173a681d8103751332da8e5c9801760aabce29c1780498f08552892273f33e54d1ca1e4cd89

Download Submit
C:\Windows\buftemp2.exe

Filesize
36KB

MD5
ef835a7dbc2f8c2358e772d4430f5210

SHA1
f0af82f4271abf37ba45ad69c73f8109e4e03a38

SHA256
76dbfc96d9ea63bfa7f716bb599fb8ae4fe9541a2c72f55bf2db7bea450e240f

SHA512
5c141bf6bf29953dfaeb4d67a1efe42894518ba0812dd2422e3b2ce78cfe6d596e001d5c35691f4d352b7d5eca1b49386f9c79cf541f782c72c8da3ddb0fbaff

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/720-819-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1168-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1168-141-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1168-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1460-648-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2164-689-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2584-425-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2584-401-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3124-526-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3440-250-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4288-303-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4288-279-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download