Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 17:40
Static task
static1
Behavioral task
behavioral1
Sample
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
Resource
win10v2004-20240802-en
General
-
Target
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
-
Size
11.2MB
-
MD5
4fa734db8e9f7ce5ecd217b34ecc6969
-
SHA1
fbfc15ded2ebd130c92d812c26dc052561f7ff83
-
SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
-
SHA512
76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a
-
SSDEEP
196608:FfhVx6cyJczra+6msUjFD8rXPLJy5rRUlXmBPzLMAoUsJBK7iskeDqQ7poZ:FfrABJq2+6mnD8b9y9RU8zLMAoUsJBKK
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5084-189-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpAutoIt3.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation AutoIt3.exe -
Executes dropped EXE 4 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpAutoIt3.exeAutoIt3.exepid Process 3692 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 1804 AutoIt3.exe 4732 AutoIt3.exe -
Loads dropped DLL 2 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmppid Process 3692 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AutoIt3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" AutoIt3.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid Process 4364 tasklist.exe 1168 tasklist.exe 4912 tasklist.exe 4916 tasklist.exe 3596 tasklist.exe 1256 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AutoIt3.exedescription pid Process procid_target PID 4732 set thread context of 5084 4732 AutoIt3.exe 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PING.EXEf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exeAutoIt3.execmd.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpAutoIt3.exeMSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 3064 cmd.exe 2484 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AutoIt3.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpMSBuild.exepid Process 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 5084 MSBuild.exe 5084 MSBuild.exe 5084 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeMSBuild.exedescription pid Process Token: SeDebugPrivilege 4364 tasklist.exe Token: SeDebugPrivilege 1168 tasklist.exe Token: SeDebugPrivilege 4912 tasklist.exe Token: SeDebugPrivilege 4916 tasklist.exe Token: SeDebugPrivilege 3596 tasklist.exe Token: SeDebugPrivilege 1256 tasklist.exe Token: SeDebugPrivilege 5084 MSBuild.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmppid Process 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid Process 5084 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpf358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exef358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmpcmd.execmd.execmd.execmd.execmd.execmd.exeAutoIt3.execmd.exeAutoIt3.exedescription pid Process procid_target PID 2928 wrote to memory of 3692 2928 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 82 PID 2928 wrote to memory of 3692 2928 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 82 PID 2928 wrote to memory of 3692 2928 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 82 PID 3692 wrote to memory of 4340 3692 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 83 PID 3692 wrote to memory of 4340 3692 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 83 PID 3692 wrote to memory of 4340 3692 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 83 PID 4340 wrote to memory of 2996 4340 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 84 PID 4340 wrote to memory of 2996 4340 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 84 PID 4340 wrote to memory of 2996 4340 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe 84 PID 2996 wrote to memory of 1164 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 85 PID 2996 wrote to memory of 1164 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 85 PID 1164 wrote to memory of 4364 1164 cmd.exe 87 PID 1164 wrote to memory of 4364 1164 cmd.exe 87 PID 1164 wrote to memory of 3284 1164 cmd.exe 88 PID 1164 wrote to memory of 3284 1164 cmd.exe 88 PID 2996 wrote to memory of 1248 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 90 PID 2996 wrote to memory of 1248 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 90 PID 1248 wrote to memory of 1168 1248 cmd.exe 94 PID 1248 wrote to memory of 1168 1248 cmd.exe 94 PID 1248 wrote to memory of 5016 1248 cmd.exe 95 PID 1248 wrote to memory of 5016 1248 cmd.exe 95 PID 2996 wrote to memory of 4300 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 96 PID 2996 wrote to memory of 4300 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 96 PID 4300 wrote to memory of 4912 4300 cmd.exe 98 PID 4300 wrote to memory of 4912 4300 cmd.exe 98 PID 4300 wrote to memory of 4704 4300 cmd.exe 99 PID 4300 wrote to memory of 4704 4300 cmd.exe 99 PID 2996 wrote to memory of 1264 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 100 PID 2996 wrote to memory of 1264 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 100 PID 1264 wrote to memory of 4916 1264 cmd.exe 102 PID 1264 wrote to memory of 4916 1264 cmd.exe 102 PID 1264 wrote to memory of 2580 1264 cmd.exe 103 PID 1264 wrote to memory of 2580 1264 cmd.exe 103 PID 2996 wrote to memory of 4248 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 104 PID 2996 wrote to memory of 4248 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 104 PID 4248 wrote to memory of 3596 4248 cmd.exe 106 PID 4248 wrote to memory of 3596 4248 cmd.exe 106 PID 4248 wrote to memory of 908 4248 cmd.exe 107 PID 4248 wrote to memory of 908 4248 cmd.exe 107 PID 2996 wrote to memory of 1996 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 108 PID 2996 wrote to memory of 1996 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 108 PID 1996 wrote to memory of 1256 1996 cmd.exe 110 PID 1996 wrote to memory of 1256 1996 cmd.exe 110 PID 1996 wrote to memory of 2732 1996 cmd.exe 111 PID 1996 wrote to memory of 2732 1996 cmd.exe 111 PID 2996 wrote to memory of 1804 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 112 PID 2996 wrote to memory of 1804 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 112 PID 2996 wrote to memory of 1804 2996 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp 112 PID 1804 wrote to memory of 3064 1804 AutoIt3.exe 117 PID 1804 wrote to memory of 3064 1804 AutoIt3.exe 117 PID 1804 wrote to memory of 3064 1804 AutoIt3.exe 117 PID 3064 wrote to memory of 2484 3064 cmd.exe 119 PID 3064 wrote to memory of 2484 3064 cmd.exe 119 PID 3064 wrote to memory of 2484 3064 cmd.exe 119 PID 3064 wrote to memory of 4732 3064 cmd.exe 121 PID 3064 wrote to memory of 4732 3064 cmd.exe 121 PID 3064 wrote to memory of 4732 3064 cmd.exe 121 PID 4732 wrote to memory of 2740 4732 AutoIt3.exe 122 PID 4732 wrote to memory of 2740 4732 AutoIt3.exe 122 PID 4732 wrote to memory of 2740 4732 AutoIt3.exe 122 PID 4732 wrote to memory of 5084 4732 AutoIt3.exe 123 PID 4732 wrote to memory of 5084 4732 AutoIt3.exe 123 PID 4732 wrote to memory of 5084 4732 AutoIt3.exe 123 PID 4732 wrote to memory of 5084 4732 AutoIt3.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp"C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$120052,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp"C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$9004C,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵PID:5016
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵PID:908
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵PID:2732
-
-
-
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\X78XPKeS.a3x && del C:\ProgramData\\X78XPKeS.a3x6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exeAutoIt3.exe C:\ProgramData\\X78XPKeS.a3x7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵PID:2740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
Filesize3.1MB
MD581636f80b1e7c0b8f946c8ff0081436a
SHA19e7b01f8324e089b925cb9050ce74cd099c58370
SHA256ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35
SHA51267432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
940KB
MD50bc6d1c595e440233c6daa45813657a0
SHA13a04c1fcd93642fe7b0ad47d67c29344ebddc9a3
SHA2561841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac
SHA5120fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f
-
Filesize
62KB
MD5647d824a19511783d1a011f8b775c1d4
SHA146b0213afa55d27a688e9729ac120d4574318cb5
SHA2568674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b
SHA512ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f