40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe
Size

3.9MB
MD5

40c7b28ae79b11198b3be7c7de664f68
SHA1

ef3a6270e75f5d334ba780dd8f7818548b0e6d81
SHA256

40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f
SHA512

52dc5b17f633c1e2370b7927b9de59dd9afc2f905c1222f786f324cb28d1f983694048701bd9201142e54b107c99832b4af82ea647a389e12a820564b3a71bf2
SSDEEP

98304:EL+TeMMOQ/on3tkX1v2FQ03Le/8Vy5opUi:4+yP/+3tav2K03CEVyeUi

Score

8^/10

discovery evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	ContainerPerf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 14 IoCs

pid	Process
1376	ContainerPerf.exe
2768	lsass.exe
1224	lsass.exe
4760	lsass.exe
388	lsass.exe
4432	lsass.exe
2032	lsass.exe
4992	lsass.exe
3024	lsass.exe
1616	lsass.exe
1240	lsass.exe
4996	lsass.exe
1564	lsass.exe
5016	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
87	pastebin.com
89	pastebin.com
35	pastebin.com
54	pastebin.com
75	pastebin.com
24	pastebin.com
63	pastebin.com
73	pastebin.com
91	pastebin.com
93	pastebin.com
23	pastebin.com
49	pastebin.com
65	pastebin.com
52	pastebin.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Performance\lsass.exe	ContainerPerf.exe
File created	C:\Windows\Performance\6203df4a6bafc7	ContainerPerf.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\RuntimeBroker.exe	ContainerPerf.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\9e8d7a4ca61bd9	ContainerPerf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4460	PING.EXE
3516	PING.EXE
452	PING.EXE
1184	PING.EXE
4492	PING.EXE
4060	PING.EXE
1928	PING.EXE
944	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	ContainerPerf.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	lsass.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3312	reg.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
944	PING.EXE
4460	PING.EXE
3516	PING.EXE
452	PING.EXE
1184	PING.EXE
4492	PING.EXE
4060	PING.EXE
1928	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe
1376	ContainerPerf.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	ContainerPerf.exe
Token: SeDebugPrivilege	2768	lsass.exe
Token: SeDebugPrivilege	1224	lsass.exe
Token: SeDebugPrivilege	4760	lsass.exe
Token: SeDebugPrivilege	388	lsass.exe
Token: SeDebugPrivilege	4432	lsass.exe
Token: SeDebugPrivilege	2032	lsass.exe
Token: SeDebugPrivilege	4992	lsass.exe
Token: SeDebugPrivilege	3024	lsass.exe
Token: SeDebugPrivilege	1616	lsass.exe
Token: SeDebugPrivilege	1240	lsass.exe
Token: SeDebugPrivilege	4996	lsass.exe
Token: SeDebugPrivilege	1564	lsass.exe
Token: SeDebugPrivilege	5016	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3436	4016	40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe	85
PID 4016 wrote to memory of 3436	4016	40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe	85
PID 4016 wrote to memory of 3436	4016	40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe	85
PID 3436 wrote to memory of 4440	3436	WScript.exe	88
PID 3436 wrote to memory of 4440	3436	WScript.exe	88
PID 3436 wrote to memory of 4440	3436	WScript.exe	88
PID 4440 wrote to memory of 3312	4440	cmd.exe	90
PID 4440 wrote to memory of 3312	4440	cmd.exe	90
PID 4440 wrote to memory of 3312	4440	cmd.exe	90
PID 4440 wrote to memory of 1376	4440	cmd.exe	91
PID 4440 wrote to memory of 1376	4440	cmd.exe	91
PID 1376 wrote to memory of 2236	1376	ContainerPerf.exe	92
PID 1376 wrote to memory of 2236	1376	ContainerPerf.exe	92
PID 2236 wrote to memory of 4232	2236	cmd.exe	94
PID 2236 wrote to memory of 4232	2236	cmd.exe	94
PID 2236 wrote to memory of 944	2236	cmd.exe	95
PID 2236 wrote to memory of 944	2236	cmd.exe	95
PID 2236 wrote to memory of 2768	2236	cmd.exe	100
PID 2236 wrote to memory of 2768	2236	cmd.exe	100
PID 2768 wrote to memory of 3060	2768	lsass.exe	102
PID 2768 wrote to memory of 3060	2768	lsass.exe	102
PID 3060 wrote to memory of 1400	3060	cmd.exe	104
PID 3060 wrote to memory of 1400	3060	cmd.exe	104
PID 3060 wrote to memory of 2264	3060	cmd.exe	105
PID 3060 wrote to memory of 2264	3060	cmd.exe	105
PID 3060 wrote to memory of 1224	3060	cmd.exe	108
PID 3060 wrote to memory of 1224	3060	cmd.exe	108
PID 1224 wrote to memory of 2152	1224	lsass.exe	109
PID 1224 wrote to memory of 2152	1224	lsass.exe	109
PID 2152 wrote to memory of 920	2152	cmd.exe	111
PID 2152 wrote to memory of 920	2152	cmd.exe	111
PID 2152 wrote to memory of 2580	2152	cmd.exe	112
PID 2152 wrote to memory of 2580	2152	cmd.exe	112
PID 2152 wrote to memory of 4760	2152	cmd.exe	114
PID 2152 wrote to memory of 4760	2152	cmd.exe	114
PID 4760 wrote to memory of 4496	4760	lsass.exe	116
PID 4760 wrote to memory of 4496	4760	lsass.exe	116
PID 4496 wrote to memory of 2464	4496	cmd.exe	118
PID 4496 wrote to memory of 2464	4496	cmd.exe	118
PID 4496 wrote to memory of 4460	4496	cmd.exe	119
PID 4496 wrote to memory of 4460	4496	cmd.exe	119
PID 4496 wrote to memory of 388	4496	cmd.exe	121
PID 4496 wrote to memory of 388	4496	cmd.exe	121
PID 388 wrote to memory of 3456	388	lsass.exe	122
PID 388 wrote to memory of 3456	388	lsass.exe	122
PID 3456 wrote to memory of 812	3456	cmd.exe	124
PID 3456 wrote to memory of 812	3456	cmd.exe	124
PID 3456 wrote to memory of 3516	3456	cmd.exe	125
PID 3456 wrote to memory of 3516	3456	cmd.exe	125
PID 3456 wrote to memory of 4432	3456	cmd.exe	126
PID 3456 wrote to memory of 4432	3456	cmd.exe	126
PID 4432 wrote to memory of 3892	4432	lsass.exe	127
PID 4432 wrote to memory of 3892	4432	lsass.exe	127
PID 3892 wrote to memory of 5060	3892	cmd.exe	129
PID 3892 wrote to memory of 5060	3892	cmd.exe	129
PID 3892 wrote to memory of 452	3892	cmd.exe	130
PID 3892 wrote to memory of 452	3892	cmd.exe	130
PID 3892 wrote to memory of 2032	3892	cmd.exe	132
PID 3892 wrote to memory of 2032	3892	cmd.exe	132
PID 2032 wrote to memory of 844	2032	lsass.exe	133
PID 2032 wrote to memory of 844	2032	lsass.exe	133
PID 844 wrote to memory of 4736	844	cmd.exe	135
PID 844 wrote to memory of 4736	844	cmd.exe	135
PID 844 wrote to memory of 944	844	cmd.exe	136

C:\Users\Admin\AppData\Local\Temp\40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe
"C:\Users\Admin\AppData\Local\Temp\40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\mschaincontainerProviderdriver\p5L4tCZskQSKrAp9i73GV6nTpbyIueed5yrdR5MhJJcsf1DbOcdt.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\mschaincontainerProviderdriver\QyeawRlrHW2G8u24NG4SBrEnR4w14yBdhDTq.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3312
  - - C:\mschaincontainerProviderdriver\ContainerPerf.exe
      "C:\mschaincontainerProviderdriver/ContainerPerf.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MB5jNGMj2h.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4232
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:944
      - C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\336zK5Rer1.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2264
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xDZppRkgYb.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2580
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SlRmWYpFEV.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4460
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3516
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:452
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eDex15ELeP.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:944
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwaRxMoVB5.bat"
        19⤵
        
        PID:848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1184
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat"
        21⤵
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1072
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jAyUy8CkP5.bat"
        23⤵
        
        PID:1956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5000
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SlRmWYpFEV.bat"
        25⤵
        
        PID:3516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4492
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat"
        27⤵
        
        PID:4988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4060
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jAyUy8CkP5.bat"
        29⤵
        
        PID:3120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1452
        
        C:\Windows\Performance\lsass.exe
        
        "C:\Windows\Performance\lsass.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat"
        31⤵
        
        PID:4004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
2KB

MD5
1d198b4ace1f57fcd7f25e3b8be8cbe2

SHA1
c48c87efe7dc22d5736312d3f988d0927780325a

SHA256
3d20583eb249ae6f3404199372d06476820696c9696061a6a15d9b9f74b2187d

SHA512
0e31194169ec58281dc746f74ad242754518ec17ba9068858e9be05439612f00576f2f41eaff962d7e4ff28785dc65f48b8ab71d0ce267f1f5d3a15d6c73cfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\336zK5Rer1.bat

Filesize
208B

MD5
5f5f4b024988c0e3a6cecf6e8b88987e

SHA1
b994019e8f14dd4528059d7ac6689daafbd274cf

SHA256
8816ed700d0a31820e687b6b35c8c65884347227cf5d8f7d68c00375b1607f46

SHA512
82e0effc4b42bf26056c634dafc2f1c69909899f69a630b1c896489439ff9bbf7c3fe85c71f3c257a7855b430aae201d48ea8fc29b22ca64ce0e4bef2b40e7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat

Filesize
160B

MD5
4a77e7b21cbf1bac68d686415f222d05

SHA1
534ce0cc1f1748f29325b98941599218789d63d1

SHA256
1bff2cd93f00d483e0169667f51b44e96b96beff9b45a74b99eb08d264ddddc6

SHA512
e3e4ea2d336c71067133feae2e52d7d989eae55e9cf49118d1ae5d5a41bd999f8cb3e24e0c25a6ec8ad9c0d01596402f0c7642ec794fbe768b5929eeb5e0ac48

Download Submit
C:\Users\Admin\AppData\Local\Temp\MB5jNGMj2h.bat

Filesize
160B

MD5
5dfd257ee1796cf7f7a26fef1adede89

SHA1
68519e438d4c8a36ab1e18fc197d99e4897de216

SHA256
6a36be9afa50bee5489d40c5bf555aa3237ce56f2078a18c5a8154013f2ac473

SHA512
26765068b66645d64a1402c89d83671ebe04c69e869e4a67548e9c2392b63f2f4fe38b5b1088eb9da68a264bd7e9b7a0a9f491dd40c102114f10b2e6d9180f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat

Filesize
160B

MD5
3dbed6e06fa01ec851276a4402f8db30

SHA1
7c6eefcec19c88542c8e912c9f5d45976f787dfb

SHA256
a33f4089360ec29cde64e5d927f4cb62fac2506255693c30bdc88492408f740a

SHA512
1c7fa5a5140f5329b51f1bedac006aeeed7efe55f982064cbbeb736644913575ccbf332a0ff3f16e0ceea23b9f1efc7b98e20b52fb8abdaef176e6954e5dca46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat

Filesize
160B

MD5
39931569912a9a8edd0946aef20db48e

SHA1
4c8999bd51013b19d55326b7d63d18e5ef0cd9ce

SHA256
f16c9567b7535e55585105ea4cd786f7493c383e7e60cc863b8aba3e3a0c1605

SHA512
c8a56d82c9f05ad3ecf4d5d86612e7cb834c7eb25f268498f44977149415e7281be3cacc2ae24c2f611bde4db9ce9eeb4719affb753b9345571778814ccd02d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SlRmWYpFEV.bat

Filesize
160B

MD5
0785292161acf58a7d1363f27cfeffe7

SHA1
19f9c6d46f1a5c12f7b01cc3a1f9cc2ddb76271e

SHA256
dffa078687b29c4cd9bacb182dd2dc4b42ca521ff3a4e405f744179fb4b99456

SHA512
659d3363a309a4520623b3ea8f9cc2e9e2104021d84570ad8cb016a76984396f423964c84c7f3798e75ef32ba640935f3bb8b089c8a3c5cf3bc93f9d659a021e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwaRxMoVB5.bat

Filesize
160B

MD5
37c4cb4c3a726a278f4d86eda312717f

SHA1
c94773da22d43e20d7c6c29587d27a47675dc33a

SHA256
3534e8a83d5e0e1f6935d737b49f2766b5a2f78c6990be3975e9a756e3034c11

SHA512
8e9e5584ccf3f676073fbbdc616762acfd11a9923c58b7e4984113e94a6e191d72bc4ef3124ffbb5840e6152fc736ce36fba52efc2418ee7d3acde7ae57c151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eDex15ELeP.bat

Filesize
208B

MD5
70cff2e4fe52354b6034c02dea1902d5

SHA1
82ea8c98edd1c65f6e4654a09ecd30ed8e1722de

SHA256
db6f7b4c8234015e67d774d8af1eceb9da4568a8cd72c8dbae02a64f69dd2923

SHA512
8a42cb2042e0daba40333525ffe08b0b45f2197b16ad6eafe6a6c8e8f84861fc95f5605b4346dabaf27539070d0f93a34830a8c3d830c777e98d21c67ed86bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAyUy8CkP5.bat

Filesize
208B

MD5
f60447077c1e97c3747fafb5110ff99e

SHA1
1e6dfec3c4b04bdc08833abf5a99be5c4e18dcb9

SHA256
4670fd1c8dd1d94f1e085b207d0718f16c19bee43a69b933496260249524abe6

SHA512
dab929f728079893ef85fe9bffd6858085e682d933bc385795354f057d84915e1b8685c8b73bd86e19b5dd655d68b80739c8e207e2847ba6a2ca87ab902c5b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat

Filesize
208B

MD5
865b0a915bee729ba297b5012bbdf547

SHA1
e9cfdbb6d6e8738399a87203cb24055d726a44f8

SHA256
fb6c309b677da36fc21fb652e4a4da35c3f12e5d7ff9cb73e643e657687c4bfb

SHA512
9f6b40618983523a9d91d92845ca5db8c42c6e86f039558ac9872b586721882f6d6cf3d185a84059634b3300ca2034a49292d0bbafd6b3050153e2b8b203f397

Download Submit
C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat

Filesize
160B

MD5
b07c551677aaeb73d3e7caaebb66e7c2

SHA1
34c93387482d2fa393804feaef872c5e9216cd86

SHA256
e46d1f6df89940a1f141aa55b48c0770460762bd88bf81f5fb3ec57bcec4c4eb

SHA512
fe548d081fa5b5c67bd50f2e94e21ae21181649cb5284fa553225d2c7c36ed8f69c35ab15583e49318bb22feff08f46860d8730bccde058d9875b85eb01275c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDZppRkgYb.bat

Filesize
208B

MD5
3510dd6bff67d5adca5a6f6cc72fe108

SHA1
452f972e9075d9e5294bb42466cf368c74a25398

SHA256
84f8078bbbe9f43e49b690342dca2727c5552238294b7b825d51794e804263d7

SHA512
1f40fa2b33aab54e57b8ea1f07fba06da5a01e93f9e8908de7c0901c59fd20eab48283e47c647678425ad6de8b5164fcd133e9745a004abccec5b2a4043b5ae8

Download Submit
C:\mschaincontainerProviderdriver\ContainerPerf.exe

Filesize
3.7MB

MD5
6185ea8036d5aa44c2919566858cfeae

SHA1
206ce3b84d8427c010191f317371aceb00c410f6

SHA256
c807156a66ce066352e4fc3e6538eabf623a4c5546c27fa998ab9a95f858be17

SHA512
a6465963ee9e8dd18cd010eb55c39a6e320c465eed1090c63af6b6ed3de1865370d802f6f2e8df8200ead06a0acd6e4e48035783212244e9684a2413b4e605e4

Download Submit
C:\mschaincontainerProviderdriver\QyeawRlrHW2G8u24NG4SBrEnR4w14yBdhDTq.bat

Filesize
201B

MD5
40d7188fe8d29e0f457d9e2e78488a38

SHA1
0e98fa35202e227c6cac8d35ea86d62e37069e5e

SHA256
2cfe393f5c596ce1801d783fc260c657a7637da6d5828acc34d5dcefcc8b850d

SHA512
57cc20264eee8edcfbaaece38a909dafe3bb41abfe423ee6d698d89bce80ce9fc137186e37b03abecdc4447494188c0bc1e04861a8219c9dc375893cc6cdda9f

Download Submit
C:\mschaincontainerProviderdriver\p5L4tCZskQSKrAp9i73GV6nTpbyIueed5yrdR5MhJJcsf1DbOcdt.vbe

Filesize
244B

MD5
bda640ef3524c0357ec9fb8a6aa807ce

SHA1
8461b1ebc21ef92a235f44ba3e8e27875ed5bf03

SHA256
a6d4a7417bf93799852f65eda82a632c9787d3cd5827280b5bd37efdd46341fb

SHA512
ef804407ef57472b351d9adbcc71064e7ba7817c58e042a1d92e092e3acd1ed12810aa51216649984693d3d3ee5c431a0176fa238fc7c246e9edbb28e1f4c27f

Download Submit
memory/1376-27-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

Filesize
64KB

Download
memory/1376-58-0x000000001CC50000-0x000000001CC60000-memory.dmp

Filesize
64KB

Download
memory/1376-41-0x000000001CBF0000-0x000000001CC06000-memory.dmp

Filesize
88KB

Download
memory/1376-43-0x000000001CC10000-0x000000001CC22000-memory.dmp

Filesize
72KB

Download
memory/1376-46-0x000000001CBA0000-0x000000001CBAE000-memory.dmp

Filesize
56KB

Download
memory/1376-50-0x000000001CBE0000-0x000000001CBF0000-memory.dmp

Filesize
64KB

Download
memory/1376-54-0x000000001CCA0000-0x000000001CCFA000-memory.dmp

Filesize
360KB

Download
memory/1376-52-0x000000001CC30000-0x000000001CC40000-memory.dmp

Filesize
64KB

Download
memory/1376-48-0x000000001CBD0000-0x000000001CBDC000-memory.dmp

Filesize
48KB

Download
memory/1376-44-0x000000001D160000-0x000000001D688000-memory.dmp

Filesize
5.2MB

Download
memory/1376-56-0x000000001CC40000-0x000000001CC4E000-memory.dmp

Filesize
56KB

Download
memory/1376-60-0x000000001CC60000-0x000000001CC68000-memory.dmp

Filesize
32KB

Download
memory/1376-64-0x000000001CF00000-0x000000001CF18000-memory.dmp

Filesize
96KB

Download
memory/1376-66-0x000000001CF70000-0x000000001CFBE000-memory.dmp

Filesize
312KB

Download
memory/1376-62-0x000000001CC70000-0x000000001CC7E000-memory.dmp

Filesize
56KB

Download
memory/1376-39-0x000000001CB90000-0x000000001CBA0000-memory.dmp

Filesize
64KB

Download
memory/1376-37-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/1376-35-0x000000001CBB0000-0x000000001CBC2000-memory.dmp

Filesize
72KB

Download
memory/1376-33-0x000000001B860000-0x000000001B86E000-memory.dmp

Filesize
56KB

Download
memory/1376-31-0x000000001B850000-0x000000001B85E000-memory.dmp

Filesize
56KB

Download
memory/1376-29-0x000000001B840000-0x000000001B84E000-memory.dmp

Filesize
56KB

Download
memory/1376-25-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/1376-23-0x000000001B820000-0x000000001B838000-memory.dmp

Filesize
96KB

Download
memory/1376-21-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

Filesize
64KB

Download
memory/1376-19-0x000000001CB40000-0x000000001CB90000-memory.dmp

Filesize
320KB

Download
memory/1376-18-0x000000001B800000-0x000000001B81C000-memory.dmp

Filesize
112KB

Download
memory/1376-16-0x0000000002C60000-0x0000000002C6E000-memory.dmp

Filesize
56KB

Download
memory/1376-14-0x000000001B7D0000-0x000000001B7F6000-memory.dmp

Filesize
152KB

Download
memory/1376-12-0x00000000007F0000-0x0000000000B9E000-memory.dmp

Filesize
3.7MB

Download