1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde

Analysis

max time kernel
96s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
Size

454KB
MD5

37d198ad751d31a71acc9cb28ed0c64e
SHA1

8eb519b7a6df66d84c566605da9a0946717a921d
SHA256

1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde
SHA512

60923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96
SSDEEP

12288:QeeeeVeeeeeegeeKVe3zJQX7MHv+xY2DxDdeeeeVeeeeeegeeKVZ3zY:QeeeeVeeeeeegeeKVe3zJ7QdeeeeVeeq

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe\" /update"	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 3380	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	94
PID 2444 wrote to memory of 3380	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	94
PID 2444 wrote to memory of 3380	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	94
PID 2444 wrote to memory of 1684	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	95
PID 2444 wrote to memory of 1684	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	95
PID 2444 wrote to memory of 1684	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	95
PID 2444 wrote to memory of 1644	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	96
PID 2444 wrote to memory of 1644	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	96
PID 2444 wrote to memory of 1644	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	96
PID 2444 wrote to memory of 3464	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	97
PID 2444 wrote to memory of 3464	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	97
PID 2444 wrote to memory of 3464	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	97
PID 2444 wrote to memory of 1656	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	98
PID 2444 wrote to memory of 1656	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	98
PID 2444 wrote to memory of 1656	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	98
PID 2444 wrote to memory of 1356	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	99
PID 2444 wrote to memory of 1356	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	99
PID 2444 wrote to memory of 1356	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	99
PID 2444 wrote to memory of 2984	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	100
PID 2444 wrote to memory of 2984	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	100
PID 2444 wrote to memory of 2984	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	100
PID 2444 wrote to memory of 4048	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	101
PID 2444 wrote to memory of 4048	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	101
PID 2444 wrote to memory of 4048	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	101
PID 2444 wrote to memory of 1308	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	102
PID 2444 wrote to memory of 1308	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	102
PID 2444 wrote to memory of 1308	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	102
PID 2444 wrote to memory of 3404	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	103
PID 2444 wrote to memory of 3404	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	103
PID 2444 wrote to memory of 3404	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	103
PID 2444 wrote to memory of 1040	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	104
PID 2444 wrote to memory of 1040	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	104
PID 2444 wrote to memory of 1040	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	104
PID 2444 wrote to memory of 4388	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	105
PID 2444 wrote to memory of 4388	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	105
PID 2444 wrote to memory of 4388	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	105
PID 2444 wrote to memory of 2804	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	106
PID 2444 wrote to memory of 2804	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	106
PID 2444 wrote to memory of 2804	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	106
PID 2444 wrote to memory of 2972	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	107
PID 2444 wrote to memory of 2972	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	107
PID 2444 wrote to memory of 2972	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	107
PID 2444 wrote to memory of 1288	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	108
PID 2444 wrote to memory of 1288	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	108
PID 2444 wrote to memory of 1288	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	108
PID 2444 wrote to memory of 2988	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	109
PID 2444 wrote to memory of 2988	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	109
PID 2444 wrote to memory of 2988	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	109
PID 2444 wrote to memory of 3984	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	110
PID 2444 wrote to memory of 3984	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	110
PID 2444 wrote to memory of 3984	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	110
PID 2444 wrote to memory of 4912	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	111
PID 2444 wrote to memory of 4912	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	111
PID 2444 wrote to memory of 4912	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	111
PID 2444 wrote to memory of 4276	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	112
PID 2444 wrote to memory of 4276	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	112
PID 2444 wrote to memory of 4276	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	112
PID 2444 wrote to memory of 4404	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	113
PID 2444 wrote to memory of 4404	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	113
PID 2444 wrote to memory of 4404	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	113
PID 2444 wrote to memory of 2024	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	114
PID 2444 wrote to memory of 2024	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	114
PID 2444 wrote to memory of 2024	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	114
PID 2444 wrote to memory of 1156	2444	1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe	115

C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe
"C:\Users\Admin\AppData\Local\Temp\1ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3380
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1684
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1644
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3464
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1656
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1356
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2984
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4048
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1308
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3404
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1040
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4388
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2804
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1288
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2988
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3984
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4912
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4276
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4404
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2024
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1156
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3820
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3392
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3880
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:936
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:980
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1004
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2208
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:536
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4768
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:752
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4828
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1588
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1548
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4400
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1212
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3608
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4020
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4492
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:372
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1488
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1920
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3536
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3800
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2480
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2348
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:436
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:872
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:460
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1088
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4112
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3316
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:620
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1184
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1384
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3444
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3756
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2704
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4956
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:5100
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4868
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:808
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1944
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3892
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3660
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1564
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3796
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4220
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4316
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1864
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4856
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2336
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4616
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4028
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3772
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3020
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1436
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3052
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2928
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3776
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3884
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4056
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4784
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4360
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4932
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4364
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4368
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:3872
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4352
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1332
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4312
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1516
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:2184
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:4568
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:5076
- C:\Windows\SysWOW64\Explorer.exe
  "C:\Windows\SysWOW64\Explorer.exe"
  2⤵
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2444-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/2444-1-0x0000000000FB0000-0x0000000001028000-memory.dmp

Filesize
480KB

Download
memory/2444-2-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/2444-3-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/2444-4-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/2444-5-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

Filesize
40KB

Download
memory/2444-6-0x0000000005BF0000-0x0000000005C0A000-memory.dmp

Filesize
104KB

Download
memory/2444-7-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/2444-8-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/2444-10-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download