b8022e8002a8e01a6364fdcc6d53275b6edf3d196e36f0b4c9645de2570cfd48

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rgh99876k7e.exe
Size

1.5MB
MD5

bd6420aaf066a5b4533598417866bc67
SHA1

cf56376da61f4f34034fa4cc525e708052a5ecd3
SHA256

b8022e8002a8e01a6364fdcc6d53275b6edf3d196e36f0b4c9645de2570cfd48
SHA512

d9b394fc25949d552b64061810cd4452d24ee473c5755bada25b1db5ad35652a57b545c53c5e1dea88feac376b86e838a6b87886e9ad50e1f582eb2b985cda78
SSDEEP

24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8auS2rwF3q65FE8wvsO5BaH3:zTvC/MTQYxsWR7auSY65G8wDKH

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs	antholite.exe

Executes dropped EXE 64 IoCs

pid	Process
1608	antholite.exe
2816	antholite.exe
2260	antholite.exe
1976	antholite.exe
2636	antholite.exe
2648	antholite.exe
2532	antholite.exe
2544	antholite.exe
2548	antholite.exe
3000	antholite.exe
1148	antholite.exe
1076	antholite.exe
628	antholite.exe
2028	antholite.exe
2736	antholite.exe
2832	antholite.exe
1008	antholite.exe
2152	antholite.exe
1392	antholite.exe
876	antholite.exe
2676	antholite.exe
2848	antholite.exe
892	antholite.exe
2284	antholite.exe
2312	antholite.exe
2580	antholite.exe
1968	antholite.exe
1812	antholite.exe
1276	antholite.exe
3052	antholite.exe
2716	antholite.exe
2624	antholite.exe
2796	antholite.exe
2540	antholite.exe
2568	antholite.exe
1052	antholite.exe
1472	antholite.exe
1436	antholite.exe
2040	antholite.exe
2024	antholite.exe
2828	antholite.exe
2456	antholite.exe
2088	antholite.exe
2156	antholite.exe
272	antholite.exe
1928	antholite.exe
2920	antholite.exe
2368	antholite.exe
844	antholite.exe
1784	antholite.exe
1984	antholite.exe
1988	antholite.exe
2948	antholite.exe
2180	antholite.exe
2072	antholite.exe
2900	antholite.exe
2732	antholite.exe
2500	antholite.exe
2980	antholite.exe
1384	antholite.exe
2776	antholite.exe
1680	antholite.exe
2032	antholite.exe
2824	antholite.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	Rgh99876k7e.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000016c89-12.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rgh99876k7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	antholite.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2204	Rgh99876k7e.exe
2204	Rgh99876k7e.exe
1608	antholite.exe
1608	antholite.exe
2816	antholite.exe
2816	antholite.exe
2260	antholite.exe
2260	antholite.exe
1976	antholite.exe
1976	antholite.exe
2636	antholite.exe
2636	antholite.exe
2648	antholite.exe
2648	antholite.exe
2532	antholite.exe
2532	antholite.exe
2544	antholite.exe
2544	antholite.exe
2548	antholite.exe
2548	antholite.exe
3000	antholite.exe
3000	antholite.exe
1148	antholite.exe
1148	antholite.exe
1076	antholite.exe
1076	antholite.exe
628	antholite.exe
628	antholite.exe
2028	antholite.exe
2028	antholite.exe
2736	antholite.exe
2736	antholite.exe
2832	antholite.exe
2832	antholite.exe
1008	antholite.exe
1008	antholite.exe
2152	antholite.exe
2152	antholite.exe
1392	antholite.exe
1392	antholite.exe
876	antholite.exe
876	antholite.exe
2676	antholite.exe
2676	antholite.exe
2848	antholite.exe
2848	antholite.exe
892	antholite.exe
892	antholite.exe
2284	antholite.exe
2284	antholite.exe
2312	antholite.exe
2312	antholite.exe
2580	antholite.exe
2580	antholite.exe
1968	antholite.exe
1968	antholite.exe
1812	antholite.exe
1812	antholite.exe
1276	antholite.exe
1276	antholite.exe
3052	antholite.exe
3052	antholite.exe
2716	antholite.exe
2716	antholite.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2204	Rgh99876k7e.exe
2204	Rgh99876k7e.exe
1608	antholite.exe
1608	antholite.exe
2816	antholite.exe
2816	antholite.exe
2260	antholite.exe
2260	antholite.exe
1976	antholite.exe
1976	antholite.exe
2636	antholite.exe
2636	antholite.exe
2648	antholite.exe
2648	antholite.exe
2532	antholite.exe
2532	antholite.exe
2544	antholite.exe
2544	antholite.exe
2548	antholite.exe
2548	antholite.exe
3000	antholite.exe
3000	antholite.exe
1148	antholite.exe
1148	antholite.exe
1076	antholite.exe
1076	antholite.exe
628	antholite.exe
628	antholite.exe
2028	antholite.exe
2028	antholite.exe
2736	antholite.exe
2736	antholite.exe
2832	antholite.exe
2832	antholite.exe
1008	antholite.exe
1008	antholite.exe
2152	antholite.exe
2152	antholite.exe
1392	antholite.exe
1392	antholite.exe
876	antholite.exe
876	antholite.exe
2676	antholite.exe
2676	antholite.exe
2848	antholite.exe
2848	antholite.exe
892	antholite.exe
892	antholite.exe
2284	antholite.exe
2284	antholite.exe
2312	antholite.exe
2312	antholite.exe
2580	antholite.exe
2580	antholite.exe
1968	antholite.exe
1968	antholite.exe
1812	antholite.exe
1812	antholite.exe
1276	antholite.exe
1276	antholite.exe
3052	antholite.exe
3052	antholite.exe
2716	antholite.exe
2716	antholite.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1608	2204	Rgh99876k7e.exe	28
PID 2204 wrote to memory of 1608	2204	Rgh99876k7e.exe	28
PID 2204 wrote to memory of 1608	2204	Rgh99876k7e.exe	28
PID 2204 wrote to memory of 1608	2204	Rgh99876k7e.exe	28
PID 1608 wrote to memory of 2816	1608	antholite.exe	29
PID 1608 wrote to memory of 2816	1608	antholite.exe	29
PID 1608 wrote to memory of 2816	1608	antholite.exe	29
PID 1608 wrote to memory of 2816	1608	antholite.exe	29
PID 2816 wrote to memory of 2260	2816	antholite.exe	30
PID 2816 wrote to memory of 2260	2816	antholite.exe	30
PID 2816 wrote to memory of 2260	2816	antholite.exe	30
PID 2816 wrote to memory of 2260	2816	antholite.exe	30
PID 2260 wrote to memory of 1976	2260	antholite.exe	31
PID 2260 wrote to memory of 1976	2260	antholite.exe	31
PID 2260 wrote to memory of 1976	2260	antholite.exe	31
PID 2260 wrote to memory of 1976	2260	antholite.exe	31
PID 1976 wrote to memory of 2636	1976	antholite.exe	32
PID 1976 wrote to memory of 2636	1976	antholite.exe	32
PID 1976 wrote to memory of 2636	1976	antholite.exe	32
PID 1976 wrote to memory of 2636	1976	antholite.exe	32
PID 2636 wrote to memory of 2648	2636	antholite.exe	33
PID 2636 wrote to memory of 2648	2636	antholite.exe	33
PID 2636 wrote to memory of 2648	2636	antholite.exe	33
PID 2636 wrote to memory of 2648	2636	antholite.exe	33
PID 2648 wrote to memory of 2532	2648	antholite.exe	34
PID 2648 wrote to memory of 2532	2648	antholite.exe	34
PID 2648 wrote to memory of 2532	2648	antholite.exe	34
PID 2648 wrote to memory of 2532	2648	antholite.exe	34
PID 2532 wrote to memory of 2544	2532	antholite.exe	35
PID 2532 wrote to memory of 2544	2532	antholite.exe	35
PID 2532 wrote to memory of 2544	2532	antholite.exe	35
PID 2532 wrote to memory of 2544	2532	antholite.exe	35
PID 2544 wrote to memory of 2548	2544	antholite.exe	36
PID 2544 wrote to memory of 2548	2544	antholite.exe	36
PID 2544 wrote to memory of 2548	2544	antholite.exe	36
PID 2544 wrote to memory of 2548	2544	antholite.exe	36
PID 2548 wrote to memory of 3000	2548	antholite.exe	37
PID 2548 wrote to memory of 3000	2548	antholite.exe	37
PID 2548 wrote to memory of 3000	2548	antholite.exe	37
PID 2548 wrote to memory of 3000	2548	antholite.exe	37
PID 3000 wrote to memory of 1148	3000	antholite.exe	38
PID 3000 wrote to memory of 1148	3000	antholite.exe	38
PID 3000 wrote to memory of 1148	3000	antholite.exe	38
PID 3000 wrote to memory of 1148	3000	antholite.exe	38
PID 1148 wrote to memory of 1076	1148	antholite.exe	39
PID 1148 wrote to memory of 1076	1148	antholite.exe	39
PID 1148 wrote to memory of 1076	1148	antholite.exe	39
PID 1148 wrote to memory of 1076	1148	antholite.exe	39
PID 1076 wrote to memory of 628	1076	antholite.exe	40
PID 1076 wrote to memory of 628	1076	antholite.exe	40
PID 1076 wrote to memory of 628	1076	antholite.exe	40
PID 1076 wrote to memory of 628	1076	antholite.exe	40
PID 628 wrote to memory of 2028	628	antholite.exe	41
PID 628 wrote to memory of 2028	628	antholite.exe	41
PID 628 wrote to memory of 2028	628	antholite.exe	41
PID 628 wrote to memory of 2028	628	antholite.exe	41
PID 2028 wrote to memory of 2736	2028	antholite.exe	42
PID 2028 wrote to memory of 2736	2028	antholite.exe	42
PID 2028 wrote to memory of 2736	2028	antholite.exe	42
PID 2028 wrote to memory of 2736	2028	antholite.exe	42
PID 2736 wrote to memory of 2832	2736	antholite.exe	43
PID 2736 wrote to memory of 2832	2736	antholite.exe	43
PID 2736 wrote to memory of 2832	2736	antholite.exe	43
PID 2736 wrote to memory of 2832	2736	antholite.exe	43

C:\Users\Admin\AppData\Local\Temp\Rgh99876k7e.exe
"C:\Users\Admin\AppData\Local\Temp\Rgh99876k7e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Cocles\antholite.exe
  "C:\Users\Admin\AppData\Local\Temp\Rgh99876k7e.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Cocles\antholite.exe
    "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Cocles\antholite.exe
      "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        33⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        36⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        40⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        41⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        43⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        47⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        51⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        54⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        58⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        66⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        69⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        76⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Cocles\antholite.exe
        
        "C:\Users\Admin\AppData\Local\Cocles\antholite.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autA7A5.tmp

Filesize
405KB

MD5
11aae4fd5c5dd736d1ded6e1080be299

SHA1
5d4480c33fbba3169b933e40e5a2dec8d6fa9438

SHA256
c1f96c9087aab6f63c94915d6ff46c4da0220d5f48ad89f7374dc1fda192adc2

SHA512
73390fc932054043695b572d12da490b0a1b2da9abe465062897ca25f5bfb885886566d02f8dd54cfaa6d7032a4845c7b5243a2dac07a3371459c5f7dce76d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA7B5.tmp

Filesize
14KB

MD5
345ed665a9ebb49ba899d0a62f389ea0

SHA1
68698dbaaae4983c38da2b14fbb1fec060d9d2e8

SHA256
294b6354f17d6d3dfeeb71c5c43fde0a3a52551b826614742d4dd4eb32ff6a37

SHA512
37af32bce9df05fed6190f44af5eb6c62f74f4d47ef44f9d893a9befca1fbcd378cf1ad5242abf5f9aa0701b5f4133539a415eabd094d240eab3430179cb9a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\konked

Filesize
482KB

MD5
48005136bc147209ac8f408339c017e9

SHA1
2758101d2f96164a3e0cb62785223888946f53fa

SHA256
76e8c3c933c18bae6bb3cfbfa2aceb9db31c7862a56775de9ced8f1ec3a72f7f

SHA512
e0ac69de23c7354f61d634ba4064d63f54f75306dd06a15884d8c2da75908643db405fa430a84dbeb1af5e66c153c4d26e1006916f6879ba5bd9d8f9b459eaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\seskin

Filesize
64KB

MD5
61a98788fc65c56168ac3ddbab6a232b

SHA1
af9e3911bff1b5ac02603e91d2c8c0463e18368b

SHA256
63fadd7d89ac5a5914ccc1e7629586bfdca9ad22d7839250851e853b1b8978c7

SHA512
7ec6dcf767b41c8f680bfc7c30e3ce23f0a1003f926eb8eb4a56636a7b8e7fffc31d466dd23a975cdaa43decca1f5e6eb68301ef849fff652856f70b35105217

Download Submit
C:\Users\Admin\AppData\Local\Temp\seskin

Filesize
140KB

MD5
fc0250799241323e9f3a53f51f7df0f1

SHA1
f0d60dbf33047494014302b4ee8b438cc0380943

SHA256
0469ec50b7420320b46fb0a05c5d875de1ca110b2e18fbcb37860e2a6cd31982

SHA512
ccacaced5eb79a9920299599b34984788c2288bf07ce1a423668c5b4e56f4348cf7a6a29231a658fce07a40719897ee1dde428d4539a8007f6028b243f718661

Download Submit
\Users\Admin\AppData\Local\Cocles\antholite.exe

Filesize
1.5MB

MD5
bd6420aaf066a5b4533598417866bc67

SHA1
cf56376da61f4f34034fa4cc525e708052a5ecd3

SHA256
b8022e8002a8e01a6364fdcc6d53275b6edf3d196e36f0b4c9645de2570cfd48

SHA512
d9b394fc25949d552b64061810cd4452d24ee473c5755bada25b1db5ad35652a57b545c53c5e1dea88feac376b86e838a6b87886e9ad50e1f582eb2b985cda78

Download Submit
memory/2204-10-0x0000000000250000-0x0000000000254000-memory.dmp

Filesize
16KB

Download