Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 09:12
Static task
static1
Behavioral task
behavioral1
Sample
Your file name without extension goes here.exe
Resource
win7-20240903-en
General
-
Target
Your file name without extension goes here.exe
-
Size
378KB
-
MD5
fbf8e3dc8cbcf036474e0a43a27aa8bd
-
SHA1
ae8404bdaa3c6a8e115f208f4a63d971061045f9
-
SHA256
8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e
-
SHA512
4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa
-
SSDEEP
6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH
Malware Config
Extracted
xworm
5.0
69.174.100.131:7000
MruG8tu9BvvVUsIA
-
install_file
USB.exe
Extracted
asyncrat
0.5.8
Default
69.174.100.131:6606
abkZfsCYRZhk
-
delay
10
-
install
false
-
install_file
order.exe
-
install_folder
%AppData%
Extracted
vipkeylogger
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763
Signatures
-
Asyncrat family
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2020-19-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fnhvmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eigjvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hprogd.exe -
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe = "0" Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe = "0" fnhvmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\eigjvr.exe = "0" eigjvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\hprogd.exe = "0" hprogd.exe -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 632 powershell.exe 3532 powershell.exe 3196 powershell.exe 4376 powershell.exe 1596 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Your file name without extension goes here.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fnhvmp.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation eigjvr.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation hprogd.exe -
Executes dropped EXE 3 IoCs
pid Process 980 fnhvmp.exe 2340 eigjvr.exe 4860 hprogd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe = "0" Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe = "0" fnhvmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\eigjvr.exe = "0" eigjvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\hprogd.exe = "0" hprogd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths Your file name without extension goes here.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions Your file name without extension goes here.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eigjvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eigjvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hprogd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hprogd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Your file name without extension goes here.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fnhvmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fnhvmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 checkip.dyndns.org -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3132 set thread context of 2020 3132 Your file name without extension goes here.exe 87 PID 980 set thread context of 2324 980 fnhvmp.exe 111 PID 2340 set thread context of 1264 2340 eigjvr.exe 119 PID 4860 set thread context of 3804 4860 hprogd.exe 140 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msbuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1652 timeout.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 632 powershell.exe 632 powershell.exe 3532 powershell.exe 3532 powershell.exe 3196 powershell.exe 3196 powershell.exe 3196 powershell.exe 1264 jsc.exe 1264 jsc.exe 1596 powershell.exe 1596 powershell.exe 4376 powershell.exe 4376 powershell.exe 4376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 2020 regsvcs.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 1264 jsc.exe Token: SeDebugPrivilege 2324 msbuild.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 3804 CasPol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3132 wrote to memory of 632 3132 Your file name without extension goes here.exe 84 PID 3132 wrote to memory of 632 3132 Your file name without extension goes here.exe 84 PID 3132 wrote to memory of 3640 3132 Your file name without extension goes here.exe 86 PID 3132 wrote to memory of 3640 3132 Your file name without extension goes here.exe 86 PID 3132 wrote to memory of 3640 3132 Your file name without extension goes here.exe 86 PID 3132 wrote to memory of 2020 3132 Your file name without extension goes here.exe 87 PID 3132 wrote to memory of 2020 3132 Your file name without extension goes here.exe 87 PID 3132 wrote to memory of 2020 3132 Your file name without extension goes here.exe 87 PID 3132 wrote to memory of 2020 3132 Your file name without extension goes here.exe 87 PID 3132 wrote to memory of 2020 3132 Your file name without extension goes here.exe 87 PID 3132 wrote to memory of 2020 3132 Your file name without extension goes here.exe 87 PID 3132 wrote to memory of 2020 3132 Your file name without extension goes here.exe 87 PID 3132 wrote to memory of 2020 3132 Your file name without extension goes here.exe 87 PID 3132 wrote to memory of 3840 3132 Your file name without extension goes here.exe 88 PID 3132 wrote to memory of 3840 3132 Your file name without extension goes here.exe 88 PID 3132 wrote to memory of 3840 3132 Your file name without extension goes here.exe 88 PID 2020 wrote to memory of 980 2020 regsvcs.exe 104 PID 2020 wrote to memory of 980 2020 regsvcs.exe 104 PID 2020 wrote to memory of 2340 2020 regsvcs.exe 106 PID 2020 wrote to memory of 2340 2020 regsvcs.exe 106 PID 980 wrote to memory of 3532 980 fnhvmp.exe 108 PID 980 wrote to memory of 3532 980 fnhvmp.exe 108 PID 980 wrote to memory of 3832 980 fnhvmp.exe 110 PID 980 wrote to memory of 3832 980 fnhvmp.exe 110 PID 980 wrote to memory of 3832 980 fnhvmp.exe 110 PID 980 wrote to memory of 2324 980 fnhvmp.exe 111 PID 980 wrote to memory of 2324 980 fnhvmp.exe 111 PID 980 wrote to memory of 2324 980 fnhvmp.exe 111 PID 980 wrote to memory of 2324 980 fnhvmp.exe 111 PID 980 wrote to memory of 2324 980 fnhvmp.exe 111 PID 980 wrote to memory of 2324 980 fnhvmp.exe 111 PID 980 wrote to memory of 2324 980 fnhvmp.exe 111 PID 980 wrote to memory of 2324 980 fnhvmp.exe 111 PID 980 wrote to memory of 2464 980 fnhvmp.exe 112 PID 980 wrote to memory of 2464 980 fnhvmp.exe 112 PID 980 wrote to memory of 2464 980 fnhvmp.exe 112 PID 2340 wrote to memory of 3196 2340 eigjvr.exe 114 PID 2340 wrote to memory of 3196 2340 eigjvr.exe 114 PID 2340 wrote to memory of 4416 2340 eigjvr.exe 117 PID 2340 wrote to memory of 4416 2340 eigjvr.exe 117 PID 2340 wrote to memory of 4416 2340 eigjvr.exe 117 PID 2340 wrote to memory of 1248 2340 eigjvr.exe 118 PID 2340 wrote to memory of 1248 2340 eigjvr.exe 118 PID 2340 wrote to memory of 1248 2340 eigjvr.exe 118 PID 2340 wrote to memory of 1264 2340 eigjvr.exe 119 PID 2340 wrote to memory of 1264 2340 eigjvr.exe 119 PID 2340 wrote to memory of 1264 2340 eigjvr.exe 119 PID 2340 wrote to memory of 1264 2340 eigjvr.exe 119 PID 2340 wrote to memory of 1264 2340 eigjvr.exe 119 PID 2340 wrote to memory of 1264 2340 eigjvr.exe 119 PID 2340 wrote to memory of 1264 2340 eigjvr.exe 119 PID 2340 wrote to memory of 1264 2340 eigjvr.exe 119 PID 2340 wrote to memory of 2080 2340 eigjvr.exe 120 PID 2340 wrote to memory of 2080 2340 eigjvr.exe 120 PID 2340 wrote to memory of 2080 2340 eigjvr.exe 120 PID 2324 wrote to memory of 4500 2324 msbuild.exe 128 PID 2324 wrote to memory of 4500 2324 msbuild.exe 128 PID 2324 wrote to memory of 4500 2324 msbuild.exe 128 PID 2324 wrote to memory of 3872 2324 msbuild.exe 130 PID 2324 wrote to memory of 3872 2324 msbuild.exe 130 PID 2324 wrote to memory of 3872 2324 msbuild.exe 130 PID 3872 wrote to memory of 1652 3872 cmd.exe 133 PID 3872 wrote to memory of 1652 3872 cmd.exe 133 PID 3872 wrote to memory of 1652 3872 cmd.exe 133 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Your file name without extension goes here.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fnhvmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eigjvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hprogd.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:3640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe"C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵PID:3832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hprogd.exe"' & exit5⤵
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hprogd.exe"'6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\hprogd.exe"C:\Users\Admin\AppData\Local\Temp\hprogd.exe"7⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:4860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\hprogd.exe" -Force8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"8⤵PID:3940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"8⤵PID:3924
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F90.tmp.bat""5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1652
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵PID:2464
-
-
-
C:\Users\Admin\AppData\Local\Temp\eigjvr.exe"C:\Users\Admin\AppData\Local\Temp\eigjvr.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\eigjvr.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:4416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵PID:1248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵PID:2080
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵PID:3840
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD538a2262fb16df934106a14acb53aaeb0
SHA144995f3ecfeef1136485135b0818ae7b6a11fee3
SHA2563f1f739bf5742b5962a330560d14b95ebdbdf8c4704e5852a4deddc01fce5dc1
SHA51243dccc1860a4dc260f5aa0fa1fcb3723836a7459e69649ce6482c8f360a8a0b674f0e461d2f82f437104c13e1e96c2d7806d72016162361a440ac59ccd9090d4
-
Filesize
15KB
MD5733721e025f300c5a1713019ca255cf9
SHA1fe25c79e8dbccbe9a31ed37b8f5dbd81215573d0
SHA256771242f1addc7487ff4a38aff81191cc583efe3e771e77ba805bc2567e6d198f
SHA5122298a1a5440cf71b649da78a66fd1ea78f7ec4f5fceb712b30173a6cbb2e9e116c3f4274155c2040accbdd9065e4ba8a6a18e995a46bbdcb8155d8d78c45acaa
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD567e8893616f805af2411e2f4a1411b2a
SHA139bf1e1a0ddf46ce7c136972120f512d92827dcd
SHA256ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31
SHA512164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
617KB
MD506b3d03afc084f00d61aa01e4f3fc80f
SHA1e7d831548c5ddf575ecc0d635b00186565f93650
SHA25679e062981eefa719b51f0be14bb9e86650e406e92b448ff40748b04244823e9b
SHA5127accc0b3836b29e3d0bccde1d3ea5b9437468ffe76d83f27af730b84fa87a38cca1258ced530aae96a0772b181f9cbd01c0504fad7c182f5fe7cf2c004bf1903
-
Filesize
411KB
MD56dd1839d773d8a3103d2f0fc787ddbbe
SHA1d22899d1ae01359e7c08fbda233d16b850da0a9e
SHA256ef8a0def4681e3cd0c7e17f942f6621d7bc2d5f10481f228dbdd1b03349b0fdd
SHA512a1a84832066080e37ec663b4e305ead319a74223f566c0a0a48d50dc4f10e8fc043bf185fe58f6e0e90a073641ed4a38656f3de5218744d084b6a89e73fc8514
-
Filesize
171B
MD56fa10e887c9389d888614b8bece7fdd5
SHA126f7db98803dbaf265142407673c929aed6277e0
SHA25692fb2ee3534954ca158ccc3404b1bda4351736840fa7fa658afc40b29bc38bf5
SHA512869c2e28735441bb45a3a14e186af10693488d83b60e12147e87e2df58a94da3783851ad8972198048e854058ac30d1ca17c7dd3a38f6dac54792c563ce8b7c7