8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
Size

1.4MB
MD5

a1c95767e2aae895bca002778203b26e
SHA1

ee02ae312b7a4b12335cfc38a3260503aebca0a8
SHA256

8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c
SHA512

ecb2bc9815e26b22bed93865ba552d218f62e3bf8c4c9c859033059a9faf07000630ea8bee7ee3e2dad9d3268b97259b821bb04b62d3815c2442c742d3380f46
SSDEEP

24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8apZtCx7NAumZ2CvYZdqROwKmzOYxrnP:sTvC/MTQYxsWR7apZt6po0ZERlKqXN

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ddd.vbs	ddd.exe

Executes dropped EXE 39 IoCs

pid	Process
1728	ddd.exe
2772	ddd.exe
3012	ddd.exe
2760	ddd.exe
2688	ddd.exe
2040	ddd.exe
2964	ddd.exe
1164	ddd.exe
2840	ddd.exe
2984	ddd.exe
2116	ddd.exe
640	ddd.exe
804	ddd.exe
2120	ddd.exe
788	ddd.exe
2212	ddd.exe
2268	ddd.exe
2200	ddd.exe
2408	ddd.exe
2436	ddd.exe
2824	ddd.exe
2740	ddd.exe
2888	ddd.exe
1640	ddd.exe
1980	ddd.exe
1388	ddd.exe
2844	ddd.exe
1064	ddd.exe
1220	ddd.exe
2256	ddd.exe
2264	ddd.exe
2156	ddd.exe
2604	ddd.exe
1308	ddd.exe
348	ddd.exe
2592	ddd.exe
3020	ddd.exe
3008	ddd.exe
3052	ddd.exe

Loads dropped DLL 1 IoCs

pid	Process
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000017406-13.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
1728	ddd.exe
1728	ddd.exe
1728	ddd.exe
1728	ddd.exe
1728	ddd.exe
1728	ddd.exe
2772	ddd.exe
2772	ddd.exe
2772	ddd.exe
2772	ddd.exe
2772	ddd.exe
2772	ddd.exe
3012	ddd.exe
3012	ddd.exe
3012	ddd.exe
3012	ddd.exe
3012	ddd.exe
3012	ddd.exe
2760	ddd.exe
2760	ddd.exe
2760	ddd.exe
2760	ddd.exe
2760	ddd.exe
2760	ddd.exe
2688	ddd.exe
2688	ddd.exe
2688	ddd.exe
2688	ddd.exe
2688	ddd.exe
2688	ddd.exe
2040	ddd.exe
2040	ddd.exe
2040	ddd.exe
2040	ddd.exe
2040	ddd.exe
2040	ddd.exe
2964	ddd.exe
2964	ddd.exe
2964	ddd.exe
2964	ddd.exe
2964	ddd.exe
2964	ddd.exe
1164	ddd.exe
1164	ddd.exe
1164	ddd.exe
1164	ddd.exe
1164	ddd.exe
1164	ddd.exe
2840	ddd.exe
2840	ddd.exe
2840	ddd.exe
2840	ddd.exe
2840	ddd.exe
2840	ddd.exe
2984	ddd.exe
2984	ddd.exe
2984	ddd.exe
2984	ddd.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
1728	ddd.exe
1728	ddd.exe
1728	ddd.exe
1728	ddd.exe
1728	ddd.exe
1728	ddd.exe
2772	ddd.exe
2772	ddd.exe
2772	ddd.exe
2772	ddd.exe
2772	ddd.exe
2772	ddd.exe
3012	ddd.exe
3012	ddd.exe
3012	ddd.exe
3012	ddd.exe
3012	ddd.exe
3012	ddd.exe
2760	ddd.exe
2760	ddd.exe
2760	ddd.exe
2760	ddd.exe
2760	ddd.exe
2760	ddd.exe
2688	ddd.exe
2688	ddd.exe
2688	ddd.exe
2688	ddd.exe
2688	ddd.exe
2688	ddd.exe
2040	ddd.exe
2040	ddd.exe
2040	ddd.exe
2040	ddd.exe
2040	ddd.exe
2040	ddd.exe
2964	ddd.exe
2964	ddd.exe
2964	ddd.exe
2964	ddd.exe
2964	ddd.exe
2964	ddd.exe
1164	ddd.exe
1164	ddd.exe
1164	ddd.exe
1164	ddd.exe
1164	ddd.exe
1164	ddd.exe
2840	ddd.exe
2840	ddd.exe
2840	ddd.exe
2840	ddd.exe
2840	ddd.exe
2840	ddd.exe
2984	ddd.exe
2984	ddd.exe
2984	ddd.exe
2984	ddd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 1728	2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe	30
PID 2708 wrote to memory of 1728	2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe	30
PID 2708 wrote to memory of 1728	2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe	30
PID 2708 wrote to memory of 1728	2708	8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe	30
PID 1728 wrote to memory of 2772	1728	ddd.exe	32
PID 1728 wrote to memory of 2772	1728	ddd.exe	32
PID 1728 wrote to memory of 2772	1728	ddd.exe	32
PID 1728 wrote to memory of 2772	1728	ddd.exe	32
PID 2772 wrote to memory of 3012	2772	ddd.exe	33
PID 2772 wrote to memory of 3012	2772	ddd.exe	33
PID 2772 wrote to memory of 3012	2772	ddd.exe	33
PID 2772 wrote to memory of 3012	2772	ddd.exe	33
PID 3012 wrote to memory of 2760	3012	ddd.exe	34
PID 3012 wrote to memory of 2760	3012	ddd.exe	34
PID 3012 wrote to memory of 2760	3012	ddd.exe	34
PID 3012 wrote to memory of 2760	3012	ddd.exe	34
PID 2760 wrote to memory of 2688	2760	ddd.exe	35
PID 2760 wrote to memory of 2688	2760	ddd.exe	35
PID 2760 wrote to memory of 2688	2760	ddd.exe	35
PID 2760 wrote to memory of 2688	2760	ddd.exe	35
PID 2688 wrote to memory of 2040	2688	ddd.exe	36
PID 2688 wrote to memory of 2040	2688	ddd.exe	36
PID 2688 wrote to memory of 2040	2688	ddd.exe	36
PID 2688 wrote to memory of 2040	2688	ddd.exe	36
PID 2040 wrote to memory of 2964	2040	ddd.exe	37
PID 2040 wrote to memory of 2964	2040	ddd.exe	37
PID 2040 wrote to memory of 2964	2040	ddd.exe	37
PID 2040 wrote to memory of 2964	2040	ddd.exe	37
PID 2964 wrote to memory of 1164	2964	ddd.exe	38
PID 2964 wrote to memory of 1164	2964	ddd.exe	38
PID 2964 wrote to memory of 1164	2964	ddd.exe	38
PID 2964 wrote to memory of 1164	2964	ddd.exe	38
PID 1164 wrote to memory of 2840	1164	ddd.exe	39
PID 1164 wrote to memory of 2840	1164	ddd.exe	39
PID 1164 wrote to memory of 2840	1164	ddd.exe	39
PID 1164 wrote to memory of 2840	1164	ddd.exe	39
PID 2840 wrote to memory of 2984	2840	ddd.exe	40
PID 2840 wrote to memory of 2984	2840	ddd.exe	40
PID 2840 wrote to memory of 2984	2840	ddd.exe	40
PID 2840 wrote to memory of 2984	2840	ddd.exe	40
PID 2984 wrote to memory of 2116	2984	ddd.exe	41
PID 2984 wrote to memory of 2116	2984	ddd.exe	41
PID 2984 wrote to memory of 2116	2984	ddd.exe	41
PID 2984 wrote to memory of 2116	2984	ddd.exe	41
PID 2116 wrote to memory of 640	2116	ddd.exe	42
PID 2116 wrote to memory of 640	2116	ddd.exe	42
PID 2116 wrote to memory of 640	2116	ddd.exe	42
PID 2116 wrote to memory of 640	2116	ddd.exe	42
PID 640 wrote to memory of 804	640	ddd.exe	43
PID 640 wrote to memory of 804	640	ddd.exe	43
PID 640 wrote to memory of 804	640	ddd.exe	43
PID 640 wrote to memory of 804	640	ddd.exe	43
PID 804 wrote to memory of 2120	804	ddd.exe	44
PID 804 wrote to memory of 2120	804	ddd.exe	44
PID 804 wrote to memory of 2120	804	ddd.exe	44
PID 804 wrote to memory of 2120	804	ddd.exe	44
PID 2120 wrote to memory of 788	2120	ddd.exe	45
PID 2120 wrote to memory of 788	2120	ddd.exe	45
PID 2120 wrote to memory of 788	2120	ddd.exe	45
PID 2120 wrote to memory of 788	2120	ddd.exe	45
PID 788 wrote to memory of 2212	788	ddd.exe	46
PID 788 wrote to memory of 2212	788	ddd.exe	46
PID 788 wrote to memory of 2212	788	ddd.exe	46
PID 788 wrote to memory of 2212	788	ddd.exe	46

C:\Users\Admin\AppData\Local\Temp\8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe
"C:\Users\Admin\AppData\Local\Temp\8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\directory\ddd.exe
  "C:\Users\Admin\AppData\Local\Temp\8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\directory\ddd.exe
    "C:\Users\Admin\AppData\Local\directory\ddd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\directory\ddd.exe
      "C:\Users\Admin\AppData\Local\directory\ddd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\directory\ddd.exe
        
        "C:\Users\Admin\AppData\Local\directory\ddd.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autDBAF.tmp

Filesize
430KB

MD5
e3a95e254603a86eb35a2939c0326cce

SHA1
85f6ef63993c057870363e53571318697de8c4fe

SHA256
21b86e670e2d0079508af5893853a7d4db0ccd4ce512a94223943087a8944920

SHA512
f94f03a62b8a88fcc728b8414e4bad6ece313cbbb5515c2d4a5fc847362c3e3b0d04ca7c255ab38a707cec2e2656903ad4f764045c8eaff6259fd9058997337d

Download Submit
C:\Users\Admin\AppData\Local\Temp\autDBC0.tmp

Filesize
42KB

MD5
7164106aa8c85bb56f62c0133c3cbe3a

SHA1
38881951a2f13939aa50223842201bebf88578e9

SHA256
b1bd1588d9865bbd97bbc46a14f07f70ee0af5d8e1544bfd403619ecf7bb8ddb

SHA512
041090111d0f2bd8c1f0bd86d28a4a35ea4313148436a055a23c0197a242554289b128cffdca6123f1feef25a5d1c3e32084a8031b048008ac88d4f149591729

Download Submit
C:\Users\Admin\AppData\Local\Temp\seskin

Filesize
84KB

MD5
e35f6cb972a5dea274b746d9e4c25fe3

SHA1
3a0d7f1f0e631be14a2041f28d3979cf0ef76999

SHA256
9aeb3e90a42d4c33d932a4191bd20a84b7db2627fd04896a98ceb3100a207391

SHA512
f065dd4e31a7628fcdedf13f030080925e8f85268226aae072694df9c52da84fe07095e9b053f06b0173d1259dd027970c745831b49c2a15ba16f4d921ecb85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\troopwise

Filesize
483KB

MD5
9619fc607012065ef16b514a91852c0d

SHA1
0133014b86dcb7a403afef4980eabc0c2217f9c9

SHA256
ab4339f959ca357732c8698c02e557f11272236b4b5dd8da6ae496d64ddc4505

SHA512
fa2891ac49e37fed5492b02d037be8f6c2210ad303dc804fa8c3408675e5930357b680fefc84092cc5836555a4e72e1c4dddae76f0a895b86acd3e4c9a0fb5d5

Download Submit
\Users\Admin\AppData\Local\directory\ddd.exe

Filesize
1.4MB

MD5
a1c95767e2aae895bca002778203b26e

SHA1
ee02ae312b7a4b12335cfc38a3260503aebca0a8

SHA256
8b2a33314505781855da6824132f4b392cda4eea4862932b1b887673f656338c

SHA512
ecb2bc9815e26b22bed93865ba552d218f62e3bf8c4c9c859033059a9faf07000630ea8bee7ee3e2dad9d3268b97259b821bb04b62d3815c2442c742d3380f46

Download Submit
memory/2708-11-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download