8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1c95767e2aae895bca002778203b26e.exe
Size

1.4MB
MD5

a1c95767e2aae895bca002778203b26e
SHA1

ee02ae312b7a4b12335cfc38a3260503aebca0a8
SHA256

8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c
SHA512

ecb2bc9815e26b22bed93865ba552d218f62e3bf8c4c9c859033059a9faf07000630ea8bee7ee3e2dad9d3268b97259b821bb04b62d3815c2442c742d3380f46
SSDEEP

24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8apZtCx7NAumZ2CvYZdqROwKmzOYxrnP:sTvC/MTQYxsWR7apZt6po0ZERlKqXN

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ddd.vbs	ddd.exe

Executes dropped EXE 39 IoCs

pid	Process
2492	ddd.exe
1080	ddd.exe
2452	ddd.exe
2824	ddd.exe
2616	ddd.exe
3060	ddd.exe
1356	ddd.exe
1260	ddd.exe
1488	ddd.exe
1768	ddd.exe
2404	ddd.exe
1396	ddd.exe
2876	ddd.exe
1828	ddd.exe
836	ddd.exe
804	ddd.exe
1172	ddd.exe
2480	ddd.exe
3056	ddd.exe
2356	ddd.exe
2776	ddd.exe
1440	ddd.exe
2828	ddd.exe
2968	ddd.exe
2624	ddd.exe
1656	ddd.exe
2248	ddd.exe
1960	ddd.exe
1144	ddd.exe
2852	ddd.exe
2144	ddd.exe
1708	ddd.exe
1076	ddd.exe
1520	ddd.exe
1220	ddd.exe
2288	ddd.exe
2188	ddd.exe
540	ddd.exe
2400	ddd.exe

Loads dropped DLL 1 IoCs

pid	Process
2984	a1c95767e2aae895bca002778203b26e.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000600000001921d-13.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1c95767e2aae895bca002778203b26e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2492	ddd.exe
2492	ddd.exe
2492	ddd.exe
2492	ddd.exe
2492	ddd.exe
2492	ddd.exe
1080	ddd.exe
1080	ddd.exe
1080	ddd.exe
1080	ddd.exe
1080	ddd.exe
1080	ddd.exe
2452	ddd.exe
2452	ddd.exe
2452	ddd.exe
2452	ddd.exe
2452	ddd.exe
2452	ddd.exe
2824	ddd.exe
2824	ddd.exe
2824	ddd.exe
2824	ddd.exe
2824	ddd.exe
2824	ddd.exe
2616	ddd.exe
2616	ddd.exe
2616	ddd.exe
2616	ddd.exe
2616	ddd.exe
2616	ddd.exe
3060	ddd.exe
3060	ddd.exe
3060	ddd.exe
3060	ddd.exe
3060	ddd.exe
3060	ddd.exe
1356	ddd.exe
1356	ddd.exe
1356	ddd.exe
1356	ddd.exe
1356	ddd.exe
1356	ddd.exe
1260	ddd.exe
1260	ddd.exe
1260	ddd.exe
1260	ddd.exe
1260	ddd.exe
1260	ddd.exe
1488	ddd.exe
1488	ddd.exe
1488	ddd.exe
1488	ddd.exe
1488	ddd.exe
1488	ddd.exe
1768	ddd.exe
1768	ddd.exe
1768	ddd.exe
1768	ddd.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2984	a1c95767e2aae895bca002778203b26e.exe
2492	ddd.exe
2492	ddd.exe
2492	ddd.exe
2492	ddd.exe
2492	ddd.exe
2492	ddd.exe
1080	ddd.exe
1080	ddd.exe
1080	ddd.exe
1080	ddd.exe
1080	ddd.exe
1080	ddd.exe
2452	ddd.exe
2452	ddd.exe
2452	ddd.exe
2452	ddd.exe
2452	ddd.exe
2452	ddd.exe
2824	ddd.exe
2824	ddd.exe
2824	ddd.exe
2824	ddd.exe
2824	ddd.exe
2824	ddd.exe
2616	ddd.exe
2616	ddd.exe
2616	ddd.exe
2616	ddd.exe
2616	ddd.exe
2616	ddd.exe
3060	ddd.exe
3060	ddd.exe
3060	ddd.exe
3060	ddd.exe
3060	ddd.exe
3060	ddd.exe
1356	ddd.exe
1356	ddd.exe
1356	ddd.exe
1356	ddd.exe
1356	ddd.exe
1356	ddd.exe
1260	ddd.exe
1260	ddd.exe
1260	ddd.exe
1260	ddd.exe
1260	ddd.exe
1260	ddd.exe
1488	ddd.exe
1488	ddd.exe
1488	ddd.exe
1488	ddd.exe
1488	ddd.exe
1488	ddd.exe
1768	ddd.exe
1768	ddd.exe
1768	ddd.exe
1768	ddd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2492	2984	a1c95767e2aae895bca002778203b26e.exe	31
PID 2984 wrote to memory of 2492	2984	a1c95767e2aae895bca002778203b26e.exe	31
PID 2984 wrote to memory of 2492	2984	a1c95767e2aae895bca002778203b26e.exe	31
PID 2984 wrote to memory of 2492	2984	a1c95767e2aae895bca002778203b26e.exe	31
PID 2492 wrote to memory of 1080	2492	ddd.exe	32
PID 2492 wrote to memory of 1080	2492	ddd.exe	32
PID 2492 wrote to memory of 1080	2492	ddd.exe	32
PID 2492 wrote to memory of 1080	2492	ddd.exe	32
PID 1080 wrote to memory of 2452	1080	ddd.exe	33
PID 1080 wrote to memory of 2452	1080	ddd.exe	33
PID 1080 wrote to memory of 2452	1080	ddd.exe	33
PID 1080 wrote to memory of 2452	1080	ddd.exe	33
PID 2452 wrote to memory of 2824	2452	ddd.exe	34
PID 2452 wrote to memory of 2824	2452	ddd.exe	34
PID 2452 wrote to memory of 2824	2452	ddd.exe	34
PID 2452 wrote to memory of 2824	2452	ddd.exe	34
PID 2824 wrote to memory of 2616	2824	ddd.exe	35
PID 2824 wrote to memory of 2616	2824	ddd.exe	35
PID 2824 wrote to memory of 2616	2824	ddd.exe	35
PID 2824 wrote to memory of 2616	2824	ddd.exe	35
PID 2616 wrote to memory of 3060	2616	ddd.exe	36
PID 2616 wrote to memory of 3060	2616	ddd.exe	36
PID 2616 wrote to memory of 3060	2616	ddd.exe	36
PID 2616 wrote to memory of 3060	2616	ddd.exe	36
PID 3060 wrote to memory of 1356	3060	ddd.exe	37
PID 3060 wrote to memory of 1356	3060	ddd.exe	37
PID 3060 wrote to memory of 1356	3060	ddd.exe	37
PID 3060 wrote to memory of 1356	3060	ddd.exe	37
PID 1356 wrote to memory of 1260	1356	ddd.exe	38
PID 1356 wrote to memory of 1260	1356	ddd.exe	38
PID 1356 wrote to memory of 1260	1356	ddd.exe	38
PID 1356 wrote to memory of 1260	1356	ddd.exe	38
PID 1260 wrote to memory of 1488	1260	ddd.exe	39
PID 1260 wrote to memory of 1488	1260	ddd.exe	39
PID 1260 wrote to memory of 1488	1260	ddd.exe	39
PID 1260 wrote to memory of 1488	1260	ddd.exe	39
PID 1488 wrote to memory of 1768	1488	ddd.exe	40
PID 1488 wrote to memory of 1768	1488	ddd.exe	40
PID 1488 wrote to memory of 1768	1488	ddd.exe	40
PID 1488 wrote to memory of 1768	1488	ddd.exe	40
PID 1768 wrote to memory of 2404	1768	ddd.exe	41
PID 1768 wrote to memory of 2404	1768	ddd.exe	41
PID 1768 wrote to memory of 2404	1768	ddd.exe	41
PID 1768 wrote to memory of 2404	1768	ddd.exe	41
PID 2404 wrote to memory of 1396	2404	ddd.exe	42
PID 2404 wrote to memory of 1396	2404	ddd.exe	42
PID 2404 wrote to memory of 1396	2404	ddd.exe	42
PID 2404 wrote to memory of 1396	2404	ddd.exe	42
PID 1396 wrote to memory of 2876	1396	ddd.exe	43
PID 1396 wrote to memory of 2876	1396	ddd.exe	43
PID 1396 wrote to memory of 2876	1396	ddd.exe	43
PID 1396 wrote to memory of 2876	1396	ddd.exe	43
PID 2876 wrote to memory of 1828	2876	ddd.exe	44
PID 2876 wrote to memory of 1828	2876	ddd.exe	44
PID 2876 wrote to memory of 1828	2876	ddd.exe	44
PID 2876 wrote to memory of 1828	2876	ddd.exe	44
PID 1828 wrote to memory of 836	1828	ddd.exe	45
PID 1828 wrote to memory of 836	1828	ddd.exe	45
PID 1828 wrote to memory of 836	1828	ddd.exe	45
PID 1828 wrote to memory of 836	1828	ddd.exe	45
PID 836 wrote to memory of 804	836	ddd.exe	46
PID 836 wrote to memory of 804	836	ddd.exe	46
PID 836 wrote to memory of 804	836	ddd.exe	46
PID 836 wrote to memory of 804	836	ddd.exe	46

C:\Users\Admin\AppData\Local\Temp\a1c95767e2aae895bca002778203b26e.exe
"C:\Users\Admin\AppData\Local\Temp\a1c95767e2aae895bca002778203b26e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\directory\ddd.exe
  "C:\Users\Admin\AppData\Local\Temp\a1c95767e2aae895bca002778203b26e.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Local\directory\ddd.exe
    "C:\Users\Admin\AppData\Local\directory\ddd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Users\Admin\AppData\Local\directory\ddd.exe
      "C:\Users\Admin\AppData\Local\directory\ddd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autD9EB.tmp

Filesize
430KB

MD5
e3a95e254603a86eb35a2939c0326cce

SHA1
85f6ef63993c057870363e53571318697de8c4fe

SHA256
21b86e670e2d0079508af5893853a7d4db0ccd4ce512a94223943087a8944920

SHA512
f94f03a62b8a88fcc728b8414e4bad6ece313cbbb5515c2d4a5fc847362c3e3b0d04ca7c255ab38a707cec2e2656903ad4f764045c8eaff6259fd9058997337d

Download Submit
C:\Users\Admin\AppData\Local\Temp\autD9FB.tmp

Filesize
42KB

MD5
7164106aa8c85bb56f62c0133c3cbe3a

SHA1
38881951a2f13939aa50223842201bebf88578e9

SHA256
b1bd1588d9865bbd97bbc46a14f07f70ee0af5d8e1544bfd403619ecf7bb8ddb

SHA512
041090111d0f2bd8c1f0bd86d28a4a35ea4313148436a055a23c0197a242554289b128cffdca6123f1feef25a5d1c3e32084a8031b048008ac88d4f149591729

Download Submit
C:\Users\Admin\AppData\Local\Temp\seskin

Filesize
84KB

MD5
e35f6cb972a5dea274b746d9e4c25fe3

SHA1
3a0d7f1f0e631be14a2041f28d3979cf0ef76999

SHA256
9aeb3e90a42d4c33d932a4191bd20a84b7db2627fd04896a98ceb3100a207391

SHA512
f065dd4e31a7628fcdedf13f030080925e8f85268226aae072694df9c52da84fe07095e9b053f06b0173d1259dd027970c745831b49c2a15ba16f4d921ecb85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\troopwise

Filesize
483KB

MD5
9619fc607012065ef16b514a91852c0d

SHA1
0133014b86dcb7a403afef4980eabc0c2217f9c9

SHA256
ab4339f959ca357732c8698c02e557f11272236b4b5dd8da6ae496d64ddc4505

SHA512
fa2891ac49e37fed5492b02d037be8f6c2210ad303dc804fa8c3408675e5930357b680fefc84092cc5836555a4e72e1c4dddae76f0a895b86acd3e4c9a0fb5d5

Download Submit
\Users\Admin\AppData\Local\directory\ddd.exe

Filesize
1.4MB

MD5
a1c95767e2aae895bca002778203b26e

SHA1
ee02ae312b7a4b12335cfc38a3260503aebca0a8

SHA256
8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c

SHA512
ecb2bc9815e26b22bed93865ba552d218f62e3bf8c4c9c859033059a9faf07000630ea8bee7ee3e2dad9d3268b97259b821bb04b62d3815c2442c742d3380f46

Download Submit
memory/2984-11-0x0000000000160000-0x0000000000164000-memory.dmp

Filesize
16KB

Download