gh0strat | 9a55ea1d7a3e272dd2f1ca2b32637b14c5a6e9eb24847737b4eb550d26c15343

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MenuDem11.exe
Size

11.4MB
MD5

db05b9934b55521c717ed19c77d6220e
SHA1

d966970973e65dee17ff0f9c5f75912e81ac6cbb
SHA256

9a55ea1d7a3e272dd2f1ca2b32637b14c5a6e9eb24847737b4eb550d26c15343
SHA512

053e485da17ab57915f9f78731700a75b68123df36a62c369cb5eac13aa728854feb61f18f6a449eeb6913b26cbf55551f29ef7547384a8d890fc3cf6e5cf882
SSDEEP

6144:T292wmo8R56EAkR9+PUblAmRN494GBoI+rQgz4mCJp2GwR1d:M2wmoxEV9+slAmr4eGBoZsgRh

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2992-7-0x00000000040B0000-0x0000000004254000-memory.dmp	purplefox_rootkit
behavioral2/memory/2992-8-0x00000000040B0000-0x0000000004254000-memory.dmp	purplefox_rootkit
behavioral2/memory/2992-14-0x00000000040B0000-0x0000000004254000-memory.dmp	purplefox_rootkit
behavioral2/memory/2992-50-0x0000000003F70000-0x00000000040A8000-memory.dmp	purplefox_rootkit
behavioral2/memory/2992-53-0x00000000040B0000-0x0000000004254000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/2992-6-0x0000000003F70000-0x00000000040A8000-memory.dmp	family_gh0strat
behavioral2/memory/2992-7-0x00000000040B0000-0x0000000004254000-memory.dmp	family_gh0strat
behavioral2/memory/2992-8-0x00000000040B0000-0x0000000004254000-memory.dmp	family_gh0strat
behavioral2/memory/2992-14-0x00000000040B0000-0x0000000004254000-memory.dmp	family_gh0strat
behavioral2/memory/2992-50-0x0000000003F70000-0x00000000040A8000-memory.dmp	family_gh0strat
behavioral2/memory/2992-53-0x00000000040B0000-0x0000000004254000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Downloads MZ/PE file

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	MenuDem11.exe
File opened (read-only)	\??\M:	MenuDem11.exe
File opened (read-only)	\??\R:	MenuDem11.exe
File opened (read-only)	\??\S:	MenuDem11.exe
File opened (read-only)	\??\V:	MenuDem11.exe
File opened (read-only)	\??\K:	MenuDem11.exe
File opened (read-only)	\??\Q:	MenuDem11.exe
File opened (read-only)	\??\W:	MenuDem11.exe
File opened (read-only)	\??\Y:	MenuDem11.exe
File opened (read-only)	\??\X:	MenuDem11.exe
File opened (read-only)	\??\Z:	MenuDem11.exe
File opened (read-only)	\??\B:	MenuDem11.exe
File opened (read-only)	\??\I:	MenuDem11.exe
File opened (read-only)	\??\J:	MenuDem11.exe
File opened (read-only)	\??\L:	MenuDem11.exe
File opened (read-only)	\??\O:	MenuDem11.exe
File opened (read-only)	\??\T:	MenuDem11.exe
File opened (read-only)	\??\E:	MenuDem11.exe
File opened (read-only)	\??\H:	MenuDem11.exe
File opened (read-only)	\??\N:	MenuDem11.exe
File opened (read-only)	\??\P:	MenuDem11.exe
File opened (read-only)	\??\U:	MenuDem11.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MenuDem11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MenuDem11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MenuDem11.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe
2992	MenuDem11.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2992	MenuDem11.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2992	MenuDem11.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 4832	2992	MenuDem11.exe	92
PID 2992 wrote to memory of 4832	2992	MenuDem11.exe	92
PID 2992 wrote to memory of 4832	2992	MenuDem11.exe	92
PID 2992 wrote to memory of 1052	2992	MenuDem11.exe	93
PID 2992 wrote to memory of 1052	2992	MenuDem11.exe	93
PID 2992 wrote to memory of 1052	2992	MenuDem11.exe	93
PID 2992 wrote to memory of 4076	2992	MenuDem11.exe	97
PID 2992 wrote to memory of 4076	2992	MenuDem11.exe	97
PID 2992 wrote to memory of 4076	2992	MenuDem11.exe	97
PID 2992 wrote to memory of 3708	2992	MenuDem11.exe	99
PID 2992 wrote to memory of 3708	2992	MenuDem11.exe	99
PID 2992 wrote to memory of 3708	2992	MenuDem11.exe	99
PID 2992 wrote to memory of 2260	2992	MenuDem11.exe	103
PID 2992 wrote to memory of 2260	2992	MenuDem11.exe	103
PID 2992 wrote to memory of 2260	2992	MenuDem11.exe	103
PID 2992 wrote to memory of 3024	2992	MenuDem11.exe	105
PID 2992 wrote to memory of 3024	2992	MenuDem11.exe	105
PID 2992 wrote to memory of 3024	2992	MenuDem11.exe	105
PID 2992 wrote to memory of 4180	2992	MenuDem11.exe	107
PID 2992 wrote to memory of 4180	2992	MenuDem11.exe	107
PID 2992 wrote to memory of 4180	2992	MenuDem11.exe	107
PID 2992 wrote to memory of 1648	2992	MenuDem11.exe	109
PID 2992 wrote to memory of 1648	2992	MenuDem11.exe	109
PID 2992 wrote to memory of 1648	2992	MenuDem11.exe	109
PID 2992 wrote to memory of 2812	2992	MenuDem11.exe	111
PID 2992 wrote to memory of 2812	2992	MenuDem11.exe	111
PID 2992 wrote to memory of 2812	2992	MenuDem11.exe	111
PID 2992 wrote to memory of 1348	2992	MenuDem11.exe	113
PID 2992 wrote to memory of 1348	2992	MenuDem11.exe	113
PID 2992 wrote to memory of 1348	2992	MenuDem11.exe	113
PID 2992 wrote to memory of 4104	2992	MenuDem11.exe	115
PID 2992 wrote to memory of 4104	2992	MenuDem11.exe	115
PID 2992 wrote to memory of 4104	2992	MenuDem11.exe	115
PID 2992 wrote to memory of 2588	2992	MenuDem11.exe	117
PID 2992 wrote to memory of 2588	2992	MenuDem11.exe	117
PID 2992 wrote to memory of 2588	2992	MenuDem11.exe	117
PID 2992 wrote to memory of 4080	2992	MenuDem11.exe	119
PID 2992 wrote to memory of 4080	2992	MenuDem11.exe	119
PID 2992 wrote to memory of 4080	2992	MenuDem11.exe	119
PID 2992 wrote to memory of 2392	2992	MenuDem11.exe	122
PID 2992 wrote to memory of 2392	2992	MenuDem11.exe	122
PID 2992 wrote to memory of 2392	2992	MenuDem11.exe	122
PID 2992 wrote to memory of 2520	2992	MenuDem11.exe	124
PID 2992 wrote to memory of 2520	2992	MenuDem11.exe	124
PID 2992 wrote to memory of 2520	2992	MenuDem11.exe	124
PID 2992 wrote to memory of 2076	2992	MenuDem11.exe	128
PID 2992 wrote to memory of 2076	2992	MenuDem11.exe	128
PID 2992 wrote to memory of 2076	2992	MenuDem11.exe	128
PID 2992 wrote to memory of 336	2992	MenuDem11.exe	130
PID 2992 wrote to memory of 336	2992	MenuDem11.exe	130
PID 2992 wrote to memory of 336	2992	MenuDem11.exe	130
PID 2992 wrote to memory of 3204	2992	MenuDem11.exe	132
PID 2992 wrote to memory of 3204	2992	MenuDem11.exe	132
PID 2992 wrote to memory of 3204	2992	MenuDem11.exe	132
PID 2992 wrote to memory of 4248	2992	MenuDem11.exe	134
PID 2992 wrote to memory of 4248	2992	MenuDem11.exe	134
PID 2992 wrote to memory of 4248	2992	MenuDem11.exe	134
PID 2992 wrote to memory of 4256	2992	MenuDem11.exe	136
PID 2992 wrote to memory of 4256	2992	MenuDem11.exe	136
PID 2992 wrote to memory of 4256	2992	MenuDem11.exe	136
PID 2992 wrote to memory of 5068	2992	MenuDem11.exe	138
PID 2992 wrote to memory of 5068	2992	MenuDem11.exe	138
PID 2992 wrote to memory of 5068	2992	MenuDem11.exe	138
PID 2992 wrote to memory of 4264	2992	MenuDem11.exe	140

C:\Users\Admin\AppData\Local\Temp\MenuDem11.exe
"C:\Users\Admin\AppData\Local\Temp\MenuDem11.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md C:\Users\Public\Documents\MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md C:\Users\Public\Documents\MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4180
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4080
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:336
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:3204
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4248
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4256
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5068
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4264
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4964
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4620
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1128
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5116
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1752
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:1480
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:4808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:4768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3336
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3992
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:3564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5028
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:2940
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3576
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:4064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3372
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4824
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  PID:3180
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1432
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3424
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:804
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3396
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /TN MM
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2992-6-0x0000000003F70000-0x00000000040A8000-memory.dmp

Filesize
1.2MB

Download
memory/2992-7-0x00000000040B0000-0x0000000004254000-memory.dmp

Filesize
1.6MB

Download
memory/2992-8-0x00000000040B0000-0x0000000004254000-memory.dmp

Filesize
1.6MB

Download
memory/2992-14-0x00000000040B0000-0x0000000004254000-memory.dmp

Filesize
1.6MB

Download
memory/2992-18-0x0000000004C50000-0x0000000004C87000-memory.dmp

Filesize
220KB

Download
memory/2992-27-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-25-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-19-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-28-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-33-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-32-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-31-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-29-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-26-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-24-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-23-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-22-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-21-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-20-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-30-0x0000000004C90000-0x0000000004CCB000-memory.dmp

Filesize
236KB

Download
memory/2992-37-0x0000000004D10000-0x0000000004D33000-memory.dmp

Filesize
140KB

Download
memory/2992-41-0x0000000004D10000-0x0000000004D33000-memory.dmp

Filesize
140KB

Download
memory/2992-43-0x0000000004D10000-0x0000000004D33000-memory.dmp

Filesize
140KB

Download
memory/2992-42-0x0000000004CF0000-0x0000000004D0F000-memory.dmp

Filesize
124KB

Download
memory/2992-40-0x0000000004D10000-0x0000000004D33000-memory.dmp

Filesize
140KB

Download
memory/2992-39-0x0000000004D10000-0x0000000004D33000-memory.dmp

Filesize
140KB

Download
memory/2992-38-0x0000000004D10000-0x0000000004D33000-memory.dmp

Filesize
140KB

Download
memory/2992-50-0x0000000003F70000-0x00000000040A8000-memory.dmp

Filesize
1.2MB

Download
memory/2992-53-0x00000000040B0000-0x0000000004254000-memory.dmp

Filesize
1.6MB

Download