Overview

overview

10

Static

static

3

14062016000020.scr

windows7-x64

10

14062016000020.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14062016000020.scr

  • Size

    313KB

  • MD5

    1c65cb1bd5c5d0210d812862face01f6

  • SHA1

    802bfd4b652279ea588856f8cf7f3a809fcc2733

  • SHA256

    a9c67d95d20df497f36044e8ced2c6352c210220aacd80ddf2e6248db928462e

  • SHA512

    0b26a1007ec4cbc0c470ef3ced674757670454338e663545e66732df7e310469169014bd9239c37a6b11353063af98c6a1c841d0370470547e4a8e80bf165381

  • SSDEEP

    6144:mgu1P7N75URX8F1oY1B3vaVAX5uwAwfJEypmWxDw:2R7ZgX8F1R3/aVAX5pqypma

Score
10/10
nanocorediscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 64 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14062016000020.scr
    "C:\Users\Admin\AppData\Local\Temp\14062016000020.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:3480
    • C:\Users\Admin\Desktop\example.exe
      "C:\Users\Admin\Desktop\example.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4584
      • C:\Users\Admin\Desktop\example.exe
        "C:\Users\Admin\Desktop\example.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3924
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1128
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3172
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3392
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2328
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          4⤵
            PID:5068
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
            4⤵
              PID:3296
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3668
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3496
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:888
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
              4⤵
                PID:2880
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                4⤵
                  PID:4388
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:2544
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:1200
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                  4⤵
                    PID:4532
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2792
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1672
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:3720
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:3080
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                    4⤵
                    • Suspicious use of UnmapMainImage
                    PID:1356
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 12
                      5⤵
                      • Program crash
                      PID:1208
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2932
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:3948
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                    4⤵
                      PID:2592
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:4696
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:4676
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                      4⤵
                        PID:2288
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:1908
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                        4⤵
                          PID:2808
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3812
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1540
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3988
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3464
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2928
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                          4⤵
                            PID:3180
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:4552
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:1596
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2644
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2172
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:3656
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2104
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2136
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                            4⤵
                              PID:4100
                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                              4⤵
                                PID:380
                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                4⤵
                                  PID:1804
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4024
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4172
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:916
                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:4216
                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                3⤵
                                  PID:2180
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4232
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4108
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1516
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:828
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  3⤵
                                  • Suspicious use of UnmapMainImage
                                  PID:1492
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 12
                                    4⤵
                                    • Program crash
                                    PID:3796
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                  3⤵
                                    PID:4612
                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                    3⤵
                                      PID:4520
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4760
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1728
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1784
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4472
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                      3⤵
                                        PID:4212
                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:4964
                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                        3⤵
                                          PID:1312
                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4608
                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5072
                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                          3⤵
                                            PID:4256
                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                            3⤵
                                              PID:4280
                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                              3⤵
                                                PID:1668
                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                3⤵
                                                  PID:4880
                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                  3⤵
                                                    PID:860
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2420
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5036
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2516
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1820
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                    3⤵
                                                      PID:2912
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3236
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:392
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3696
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                      3⤵
                                                        PID:4664
                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                        3⤵
                                                          PID:3704
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                          3⤵
                                                            PID:4804
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2184
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3572
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4968
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3424
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                            3⤵
                                                              PID:532
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1192
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4624
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4288
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                              3⤵
                                                                PID:4884
                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                                3⤵
                                                                  PID:1396
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2332
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3968
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1492 -ip 1492
                                                              1⤵
                                                                PID:1908
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1356 -ip 1356
                                                                1⤵
                                                                  PID:3912

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log
                                                                  Filesize

                                                                  496B

                                                                  MD5

                                                                  5b4789d01bb4d7483b71e1a35bce6a8b

                                                                  SHA1

                                                                  de083f2131c9a763c0d1810c97a38732146cffbf

                                                                  SHA256

                                                                  e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

                                                                  SHA512

                                                                  357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

                                                                  Download Submit

                                                                • C:\Users\Admin\Desktop\example.exe
                                                                  Filesize

                                                                  313KB

                                                                  MD5

                                                                  1c65cb1bd5c5d0210d812862face01f6

                                                                  SHA1

                                                                  802bfd4b652279ea588856f8cf7f3a809fcc2733

                                                                  SHA256

                                                                  a9c67d95d20df497f36044e8ced2c6352c210220aacd80ddf2e6248db928462e

                                                                  SHA512

                                                                  0b26a1007ec4cbc0c470ef3ced674757670454338e663545e66732df7e310469169014bd9239c37a6b11353063af98c6a1c841d0370470547e4a8e80bf165381

                                                                  Download Submit

                                                                • memory/3228-26-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3228-41-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3228-37-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3228-22-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3228-24-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3368-1-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3368-2-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3368-3-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3368-0-0x0000000074F22000-0x0000000074F23000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                  Download

                                                                • memory/3368-23-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3480-4-0x0000000000400000-0x000000000043C000-memory.dmp

                                                                  Filesize

                                                                  240KB

                                                                  Download

                                                                • memory/3480-25-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3480-7-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3480-34-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3480-6-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3480-38-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download

                                                                • memory/3480-5-0x0000000074F20000-0x00000000754D1000-memory.dmp

                                                                  Filesize

                                                                  5.7MB

                                                                  Download