Overview

overview

10

Static

static

3

Order conf...25.exe

windows7-x64

10

Order conf...25.exe

windows10-2004-x64

10

Qt5Core.dll

windows7-x64

10

Qt5Core.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order confirmation for PO 7UH2025.exe

  • Size

    549KB

  • MD5

    f61aec6b837c52490e5af74f2558decd

  • SHA1

    90d0c4a77384dcfb04b27f66a889e8bb627ff06c

  • SHA256

    9c0ad5329e00794b6b9591cf7f4f633cd2d0e3d1209d50b99cb48838fe63b79a

  • SHA512

    c8cadeef5cf02efbfa34df770063a78b82ff2ca5280bb0b47f85e41e9609c3978ec88cc4ddb6cf2fc7fbbad0547215ef3c61f7721e1c66315061ec2ee8ec17fd

  • SSDEEP

    12288:2pzQijkXRZXMnWJsGQkHgQ0cNrSdSG774u4U4U4U+H0U4H0U4UjU+J4J4H4f4D4z:kciwXvXrQkHg8NrSdSG779LLLS/o/L49

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.transotraval.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    vIZ2P]dt&a!d

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order confirmation for PO 7UH2025.exe
    "C:\Users\Admin\AppData\Local\Temp\Order confirmation for PO 7UH2025.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2788
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2676
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:2876
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        2⤵
          PID:1336
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2548
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
            PID:2992
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2604
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2880
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2368
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1564
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1680
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:600
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2524
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2056
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1096
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1104
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1100
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1644
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:796
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
              PID:1712
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:644
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2944
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              2⤵
                PID:2484
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:672
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                2⤵
                  PID:2508
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  2⤵
                    PID:2696
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                    2⤵
                      PID:2708
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2672
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      2⤵
                        PID:1748
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1700
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:968
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:884
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:1984
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:1168
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                          PID:1972
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                          2⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1636
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2628
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                          2⤵
                            PID:1608
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1376
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2300
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:2444
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                              PID:1592
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                              2⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1768
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              2⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1016
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:316
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2408
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2712
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              2⤵
                                PID:2128
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:1816
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1884
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:2932
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                2⤵
                                  PID:2952
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3032
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                    PID:304
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2812
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1740
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:372
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2344
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                    2⤵
                                      PID:1744
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                      2⤵
                                        PID:1460
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                        2⤵
                                          PID:2292
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2960
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:552
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                          2⤵
                                            PID:1996
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1936
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:1732
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            2⤵
                                              PID:3000
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2420
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2184
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2644
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2852
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              2⤵
                                                PID:2412
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1980
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:912
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2756
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3028
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                2⤵
                                                  PID:2196
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1356
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2996
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2760
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  2⤵
                                                    PID:2764
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2188
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:576
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2228
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:480
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:776
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                    2⤵
                                                      PID:960
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                      2⤵
                                                        PID:2432
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2448
                                                      • C:\Windows\system32\WerFault.exe
                                                        C:\Windows\system32\WerFault.exe -u -p 3060 -s 932
                                                        2⤵
                                                          PID:2772

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • memory/1336-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2676-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2788-0-0x0000000000400000-0x0000000000442000-memory.dmp

                                                        Filesize

                                                        264KB

                                                        Download

                                                      • memory/2788-6-0x0000000000400000-0x0000000000442000-memory.dmp

                                                        Filesize

                                                        264KB

                                                        Download

                                                      • memory/2788-14-0x0000000000400000-0x0000000000442000-memory.dmp

                                                        Filesize

                                                        264KB

                                                        Download

                                                      • memory/2788-4-0x0000000000400000-0x0000000000442000-memory.dmp

                                                        Filesize

                                                        264KB

                                                        Download

                                                      • memory/2788-2-0x0000000000400000-0x0000000000442000-memory.dmp

                                                        Filesize

                                                        264KB

                                                        Download

                                                      • memory/2788-11-0x0000000000400000-0x0000000000442000-memory.dmp

                                                        Filesize

                                                        264KB

                                                        Download

                                                      • memory/2788-10-0x0000000000400000-0x0000000000442000-memory.dmp

                                                        Filesize

                                                        264KB

                                                        Download