Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 18:38
Static task
static1
Behavioral task
behavioral1
Sample
b-crypted.exe
Resource
win7-20240708-en
General
-
Target
b-crypted.exe
-
Size
8.4MB
-
MD5
b45f3a137a961c8498ee21a246e983ec
-
SHA1
f7a2dc2bac844aad018498f224adf51f285c1f1b
-
SHA256
17cc88b4f9976d16cc5c807e91b034fecc721f9988cc52e2056a01e99aabc900
-
SHA512
ee339e5f4853c425d838493aa9fdac55273601482b804be183367118832d4677375daa46e08755d1f472725cb9d35612e570095f1afffe3db1d336fb139d20bc
-
SSDEEP
196608:HWIWSNScyO62XEXOV7QUY1MlROz8Uk2Ew2GdKxvY7n7wls8bg:NWSBybi7qelRc8UFAGwxAGs80
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2364 systemuser.exe -
Loads dropped DLL 2 IoCs
pid Process 2744 RegAsm.exe 2364 systemuser.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Enumerates processes with tasklist 1 TTPs 29 IoCs
pid Process 3016 tasklist.exe 2912 tasklist.exe 2908 tasklist.exe 1620 tasklist.exe 2656 tasklist.exe 1924 tasklist.exe 2076 tasklist.exe 1604 tasklist.exe 888 tasklist.exe 2648 tasklist.exe 2508 tasklist.exe 2580 tasklist.exe 1372 tasklist.exe 1740 tasklist.exe 1536 tasklist.exe 2768 tasklist.exe 2364 tasklist.exe 952 tasklist.exe 2404 tasklist.exe 1608 tasklist.exe 2072 tasklist.exe 3000 tasklist.exe 1764 tasklist.exe 1036 tasklist.exe 2292 tasklist.exe 2788 tasklist.exe 1976 tasklist.exe 2376 tasklist.exe 908 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1920 set thread context of 2744 1920 b-crypted.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b-crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Delays execution with timeout.exe 28 IoCs
pid Process 2528 timeout.exe 2980 timeout.exe 1808 timeout.exe 532 timeout.exe 2900 timeout.exe 1476 timeout.exe 1984 timeout.exe 2144 timeout.exe 2308 timeout.exe 1688 timeout.exe 1496 timeout.exe 1656 timeout.exe 2284 timeout.exe 1296 timeout.exe 1644 timeout.exe 968 timeout.exe 2984 timeout.exe 556 timeout.exe 2512 timeout.exe 2120 timeout.exe 336 timeout.exe 1436 timeout.exe 2756 timeout.exe 2636 timeout.exe 2840 timeout.exe 3004 timeout.exe 2392 timeout.exe 2936 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1920 b-crypted.exe 1920 b-crypted.exe 1920 b-crypted.exe 1920 b-crypted.exe 1920 b-crypted.exe 1920 b-crypted.exe 2364 systemuser.exe 2364 systemuser.exe 2364 systemuser.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 1920 b-crypted.exe Token: SeDebugPrivilege 2364 systemuser.exe Token: SeDebugPrivilege 2580 tasklist.exe Token: SeDebugPrivilege 2072 tasklist.exe Token: SeDebugPrivilege 3000 tasklist.exe Token: SeDebugPrivilege 1764 tasklist.exe Token: SeDebugPrivilege 952 tasklist.exe Token: SeDebugPrivilege 2376 tasklist.exe Token: SeDebugPrivilege 1372 tasklist.exe Token: SeDebugPrivilege 1924 tasklist.exe Token: SeDebugPrivilege 1536 tasklist.exe Token: SeDebugPrivilege 908 tasklist.exe Token: SeDebugPrivilege 2292 tasklist.exe Token: SeDebugPrivilege 1740 tasklist.exe Token: SeDebugPrivilege 2076 tasklist.exe Token: SeDebugPrivilege 888 tasklist.exe Token: SeDebugPrivilege 1604 tasklist.exe Token: SeDebugPrivilege 2404 tasklist.exe Token: SeDebugPrivilege 3016 tasklist.exe Token: SeDebugPrivilege 2912 tasklist.exe Token: SeDebugPrivilege 2768 tasklist.exe Token: SeDebugPrivilege 2648 tasklist.exe Token: SeDebugPrivilege 2908 tasklist.exe Token: SeDebugPrivilege 2788 tasklist.exe Token: SeDebugPrivilege 1620 tasklist.exe Token: SeDebugPrivilege 2656 tasklist.exe Token: SeDebugPrivilege 1608 tasklist.exe Token: SeDebugPrivilege 2508 tasklist.exe Token: SeDebugPrivilege 1976 tasklist.exe Token: SeDebugPrivilege 1036 tasklist.exe Token: SeDebugPrivilege 2364 tasklist.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2608 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2608 DllHost.exe 2608 DllHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2984 1920 b-crypted.exe 31 PID 1920 wrote to memory of 2984 1920 b-crypted.exe 31 PID 1920 wrote to memory of 2984 1920 b-crypted.exe 31 PID 1920 wrote to memory of 2984 1920 b-crypted.exe 31 PID 1920 wrote to memory of 2984 1920 b-crypted.exe 31 PID 1920 wrote to memory of 2984 1920 b-crypted.exe 31 PID 1920 wrote to memory of 2984 1920 b-crypted.exe 31 PID 1920 wrote to memory of 2908 1920 b-crypted.exe 32 PID 1920 wrote to memory of 2908 1920 b-crypted.exe 32 PID 1920 wrote to memory of 2908 1920 b-crypted.exe 32 PID 1920 wrote to memory of 2908 1920 b-crypted.exe 32 PID 1920 wrote to memory of 2908 1920 b-crypted.exe 32 PID 1920 wrote to memory of 2908 1920 b-crypted.exe 32 PID 1920 wrote to memory of 2908 1920 b-crypted.exe 32 PID 1920 wrote to memory of 2932 1920 b-crypted.exe 33 PID 1920 wrote to memory of 2932 1920 b-crypted.exe 33 PID 1920 wrote to memory of 2932 1920 b-crypted.exe 33 PID 1920 wrote to memory of 2932 1920 b-crypted.exe 33 PID 1920 wrote to memory of 2932 1920 b-crypted.exe 33 PID 1920 wrote to memory of 2932 1920 b-crypted.exe 33 PID 1920 wrote to memory of 2932 1920 b-crypted.exe 33 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 1920 wrote to memory of 2744 1920 b-crypted.exe 34 PID 2744 wrote to memory of 2364 2744 RegAsm.exe 36 PID 2744 wrote to memory of 2364 2744 RegAsm.exe 36 PID 2744 wrote to memory of 2364 2744 RegAsm.exe 36 PID 2744 wrote to memory of 2364 2744 RegAsm.exe 36 PID 2364 wrote to memory of 2016 2364 systemuser.exe 38 PID 2364 wrote to memory of 2016 2364 systemuser.exe 38 PID 2364 wrote to memory of 2016 2364 systemuser.exe 38 PID 2016 wrote to memory of 2212 2016 cmd.exe 40 PID 2016 wrote to memory of 2212 2016 cmd.exe 40 PID 2016 wrote to memory of 2212 2016 cmd.exe 40 PID 2016 wrote to memory of 2580 2016 cmd.exe 41 PID 2016 wrote to memory of 2580 2016 cmd.exe 41 PID 2016 wrote to memory of 2580 2016 cmd.exe 41 PID 2016 wrote to memory of 2524 2016 cmd.exe 42 PID 2016 wrote to memory of 2524 2016 cmd.exe 42 PID 2016 wrote to memory of 2524 2016 cmd.exe 42 PID 2016 wrote to memory of 2284 2016 cmd.exe 43 PID 2016 wrote to memory of 2284 2016 cmd.exe 43 PID 2016 wrote to memory of 2284 2016 cmd.exe 43 PID 2016 wrote to memory of 2072 2016 cmd.exe 44 PID 2016 wrote to memory of 2072 2016 cmd.exe 44 PID 2016 wrote to memory of 2072 2016 cmd.exe 44 PID 2016 wrote to memory of 568 2016 cmd.exe 45 PID 2016 wrote to memory of 568 2016 cmd.exe 45 PID 2016 wrote to memory of 568 2016 cmd.exe 45 PID 2016 wrote to memory of 3004 2016 cmd.exe 46 PID 2016 wrote to memory of 3004 2016 cmd.exe 46 PID 2016 wrote to memory of 3004 2016 cmd.exe 46 PID 2016 wrote to memory of 3000 2016 cmd.exe 47 PID 2016 wrote to memory of 3000 2016 cmd.exe 47 PID 2016 wrote to memory of 3000 2016 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\b-crypted.exe"C:\Users\Admin\AppData\Local\Temp\b-crypted.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2932
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Roaming\systemuser.exe"C:\Users\Admin\AppData\Roaming\systemuser.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp48E2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp48E2.tmp.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2212
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2524
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2284
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:568
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:3004
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2596
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:532
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:316
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1496
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:440
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2120
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:1516
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:968
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:1592
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1656
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:700
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1296
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:276
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1644
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:916
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:336
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2012
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1688
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:800
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2144
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:1728
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2308
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:112
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2392
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2388
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1436
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:1272
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2936
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2348
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2900
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2924
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2756
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2176
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2528
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2740
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2984
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2932
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2980
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2652
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1808
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:1160
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2636
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2724
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:556
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2824
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2840
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:1280
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:2512
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2504
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1476
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:1796
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:1984
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2364"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:1752
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD5d8d528ac7f4d915f969af74c8a8e1b05
SHA11a0e9951afdff775a7232aabd9f7d8bce196cc91
SHA256cdb72898aa191e13b428c1146672034e8ddbc210d78c4d0adb7020877468a9dd
SHA512d429c103b0b2ff20982e7d2b3301ff2114db1d187c5a0c59cf6161cfab5e0d38e224350821b4aca2c197ae64c8ec5e892e82f74e1e27d9bf498b04998be4773d
-
Filesize
97KB
MD514465d8d0f4688a4366c3bf163ba0a17
SHA19f1fa68a285db742e4834f7d670cae415ce6b3b6
SHA2563f3c5ce486e5b9fa88dc60b60916053e8808c69167df1a11287fd3cd6db1ca6e
SHA51201db4fac75136baf9c162265785877b21fba9c4b8d9dbe4e495191f15aa9c914e3d5baf1c4606041279a7138c7e5c8f4ccf6e64689354fc3fb3fa66ab3b1da2d
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
5.6MB
MD55328cd66093855fbb2127332ad78cdd6
SHA17605e73efa3a3bd1c42beddad226ccf355f80e4c
SHA25690daa714224ac1b53c423442d1cd0425bc678c721402ae757034258248d43106
SHA5120e4428281adf02fedaee64233fb63c1296009aa0dbe233036be841afb2bb5443769812389613ef696821cdc9750193599d2bda6b567b92301796bbea8a84098c