35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe
Size

328KB
MD5

eeb75c6ee0358e22180738dc900a0850
SHA1

f84c221c7bc554a80602051a914835aed6c3c44e
SHA256

35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6
SHA512

b28769d86a0da29ad7bbe139f46b6c306f07c3c8f266bc939eb60d4a218de492169259b24cbd0f35726cbbf7ea92fb276ca624d24da52c1a48d35cad90c8953a
SSDEEP

6144:J2XgY8FFX7Z6A/P352p4gFs/e8PeAZuon2T5T7UcIGMAQTeJ:J2X1cFx/PAp4ks/e6Fn2dEZGjQSJ

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\conhost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe

Executes dropped EXE 4 IoCs

pid	Process
1228	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe
2012	conhost.exe
244	conhost.exe
2364	conhost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1228-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1228-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1228-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1228-38-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2364-57-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2364-55-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2364-51-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/1228-64-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/244-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2364-69-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2364-73-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2364-76-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Console Window Host = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\conhost.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 2012 set thread context of 244	2012	conhost.exe	97
PID 2012 set thread context of 2364	2012	conhost.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1064	reg.exe
3276	reg.exe
4304	reg.exe
3384	reg.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: 1	2364	conhost.exe
Token: SeCreateTokenPrivilege	2364	conhost.exe
Token: SeAssignPrimaryTokenPrivilege	2364	conhost.exe
Token: SeLockMemoryPrivilege	2364	conhost.exe
Token: SeIncreaseQuotaPrivilege	2364	conhost.exe
Token: SeMachineAccountPrivilege	2364	conhost.exe
Token: SeTcbPrivilege	2364	conhost.exe
Token: SeSecurityPrivilege	2364	conhost.exe
Token: SeTakeOwnershipPrivilege	2364	conhost.exe
Token: SeLoadDriverPrivilege	2364	conhost.exe
Token: SeSystemProfilePrivilege	2364	conhost.exe
Token: SeSystemtimePrivilege	2364	conhost.exe
Token: SeProfSingleProcessPrivilege	2364	conhost.exe
Token: SeIncBasePriorityPrivilege	2364	conhost.exe
Token: SeCreatePagefilePrivilege	2364	conhost.exe
Token: SeCreatePermanentPrivilege	2364	conhost.exe
Token: SeBackupPrivilege	2364	conhost.exe
Token: SeRestorePrivilege	2364	conhost.exe
Token: SeShutdownPrivilege	2364	conhost.exe
Token: SeDebugPrivilege	2364	conhost.exe
Token: SeAuditPrivilege	2364	conhost.exe
Token: SeSystemEnvironmentPrivilege	2364	conhost.exe
Token: SeChangeNotifyPrivilege	2364	conhost.exe
Token: SeRemoteShutdownPrivilege	2364	conhost.exe
Token: SeUndockPrivilege	2364	conhost.exe
Token: SeSyncAgentPrivilege	2364	conhost.exe
Token: SeEnableDelegationPrivilege	2364	conhost.exe
Token: SeManageVolumePrivilege	2364	conhost.exe
Token: SeImpersonatePrivilege	2364	conhost.exe
Token: SeCreateGlobalPrivilege	2364	conhost.exe
Token: 31	2364	conhost.exe
Token: 32	2364	conhost.exe
Token: 33	2364	conhost.exe
Token: 34	2364	conhost.exe
Token: 35	2364	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe
Token: SeDebugPrivilege	244	conhost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe
1228	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe
2012	conhost.exe
2364	conhost.exe
244	conhost.exe
2364	conhost.exe
2364	conhost.exe
2364	conhost.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 2668 wrote to memory of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 2668 wrote to memory of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 2668 wrote to memory of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 2668 wrote to memory of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 2668 wrote to memory of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 2668 wrote to memory of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 2668 wrote to memory of 1228	2668	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	91
PID 1228 wrote to memory of 3144	1228	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	92
PID 1228 wrote to memory of 3144	1228	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	92
PID 1228 wrote to memory of 3144	1228	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	92
PID 3144 wrote to memory of 1676	3144	cmd.exe	95
PID 3144 wrote to memory of 1676	3144	cmd.exe	95
PID 3144 wrote to memory of 1676	3144	cmd.exe	95
PID 1228 wrote to memory of 2012	1228	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	96
PID 1228 wrote to memory of 2012	1228	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	96
PID 1228 wrote to memory of 2012	1228	35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe	96
PID 2012 wrote to memory of 244	2012	conhost.exe	97
PID 2012 wrote to memory of 244	2012	conhost.exe	97
PID 2012 wrote to memory of 244	2012	conhost.exe	97
PID 2012 wrote to memory of 244	2012	conhost.exe	97
PID 2012 wrote to memory of 244	2012	conhost.exe	97
PID 2012 wrote to memory of 244	2012	conhost.exe	97
PID 2012 wrote to memory of 244	2012	conhost.exe	97
PID 2012 wrote to memory of 244	2012	conhost.exe	97
PID 2012 wrote to memory of 2364	2012	conhost.exe	98
PID 2012 wrote to memory of 2364	2012	conhost.exe	98
PID 2012 wrote to memory of 2364	2012	conhost.exe	98
PID 2012 wrote to memory of 2364	2012	conhost.exe	98
PID 2012 wrote to memory of 2364	2012	conhost.exe	98
PID 2012 wrote to memory of 2364	2012	conhost.exe	98
PID 2012 wrote to memory of 2364	2012	conhost.exe	98
PID 2012 wrote to memory of 2364	2012	conhost.exe	98
PID 2364 wrote to memory of 3752	2364	conhost.exe	99
PID 2364 wrote to memory of 3752	2364	conhost.exe	99
PID 2364 wrote to memory of 3752	2364	conhost.exe	99
PID 2364 wrote to memory of 2040	2364	conhost.exe	100
PID 2364 wrote to memory of 2040	2364	conhost.exe	100
PID 2364 wrote to memory of 2040	2364	conhost.exe	100
PID 2364 wrote to memory of 5020	2364	conhost.exe	101
PID 2364 wrote to memory of 5020	2364	conhost.exe	101
PID 2364 wrote to memory of 5020	2364	conhost.exe	101
PID 2364 wrote to memory of 3928	2364	conhost.exe	103
PID 2364 wrote to memory of 3928	2364	conhost.exe	103
PID 2364 wrote to memory of 3928	2364	conhost.exe	103
PID 3752 wrote to memory of 1064	3752	cmd.exe	107
PID 3752 wrote to memory of 1064	3752	cmd.exe	107
PID 3752 wrote to memory of 1064	3752	cmd.exe	107
PID 3928 wrote to memory of 3276	3928	cmd.exe	108
PID 3928 wrote to memory of 3276	3928	cmd.exe	108
PID 3928 wrote to memory of 3276	3928	cmd.exe	108
PID 2040 wrote to memory of 4304	2040	cmd.exe	109
PID 2040 wrote to memory of 4304	2040	cmd.exe	109
PID 2040 wrote to memory of 4304	2040	cmd.exe	109
PID 5020 wrote to memory of 3384	5020	cmd.exe	110
PID 5020 wrote to memory of 3384	5020	cmd.exe	110
PID 5020 wrote to memory of 3384	5020	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe
"C:\Users\Admin\AppData\Local\Temp\35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe
  "C:\Users\Admin\AppData\Local\Temp\35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VJNIG.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Console Window Host" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1676
- - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:244
  - - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1064
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4304
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3384
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6N.exe

Filesize
328KB

MD5
eeb75c6ee0358e22180738dc900a0850

SHA1
f84c221c7bc554a80602051a914835aed6c3c44e

SHA256
35fa4d421411e037ef322f4db833dd2d877dbe66137d498156d6b379046a2fd6

SHA512
b28769d86a0da29ad7bbe139f46b6c306f07c3c8f266bc939eb60d4a218de492169259b24cbd0f35726cbbf7ea92fb276ca624d24da52c1a48d35cad90c8953a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJNIG.txt

Filesize
154B

MD5
0d0a854e96bddf0e7df7f5f024674226

SHA1
f45ca9c7f935422ddfb0550febdfc7a09baf2d98

SHA256
5bab0b5c3ef8a28a7246854074a5a469c602a10ac803d18f2102399597d35907

SHA512
8b6db387b3bb5774c691bcdd4d9f3a147e1556eee89fe1de929464510c01b14495157c14cbb355fc850b79dee500b8be7ae7a0c3b5ea0916d6eb9154f9ae73a8

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe

Filesize
328KB

MD5
1a550e73557b5ba410bccbd96d16c9e3

SHA1
0830e5bd786d440a8a77dfbbac12a34cb683db4c

SHA256
1175819d3cf6d3b8148404bbab28b356599d613eb379817c973a885dc415ea58

SHA512
3cbf492320dc9ac04b3352418def37877d5a9f29e09929672be9fa6b24f0f601391dad2d13775532645e78ffe61bea91fcaefb576f4ae8fce17b486997bdf09f

Download Submit
memory/244-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1228-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1228-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1228-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1228-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1228-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2012-63-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-41-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-43-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-42-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-40-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2364-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2364-57-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2364-51-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2364-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2364-73-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2364-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2668-2-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2668-4-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2668-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2668-7-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2668-6-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2668-3-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads