Overview

overview

10

Static

static

3

Order conf...25.exe

windows7-x64

10

Order conf...25.exe

windows10-2004-x64

10

Qt5Core.dll

windows7-x64

10

Qt5Core.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order confirmation for PO 7UH2025.exe

  • Size

    549KB

  • MD5

    f61aec6b837c52490e5af74f2558decd

  • SHA1

    90d0c4a77384dcfb04b27f66a889e8bb627ff06c

  • SHA256

    9c0ad5329e00794b6b9591cf7f4f633cd2d0e3d1209d50b99cb48838fe63b79a

  • SHA512

    c8cadeef5cf02efbfa34df770063a78b82ff2ca5280bb0b47f85e41e9609c3978ec88cc4ddb6cf2fc7fbbad0547215ef3c61f7721e1c66315061ec2ee8ec17fd

  • SSDEEP

    12288:2pzQijkXRZXMnWJsGQkHgQ0cNrSdSG774u4U4U4U+H0U4H0U4UjU+J4J4H4f4D4z:kciwXvXrQkHg8NrSdSG779LLLS/o/L49

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.transotraval.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    vIZ2P]dt&a!d

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order confirmation for PO 7UH2025.exe
    "C:\Users\Admin\AppData\Local\Temp\Order confirmation for PO 7UH2025.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:4544
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2888
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2424
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1924
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
          PID:1976
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:524
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:5060
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1628
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1648
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2088
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1904
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1588
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
            PID:3620
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
            2⤵
              PID:1504
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1064
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:1576
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:4848
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              2⤵
                PID:2388
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:4612
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:4104
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                2⤵
                  PID:676
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4372
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1136
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4548
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1844
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  2⤵
                    PID:4668
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    2⤵
                      PID:3676
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3488
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4592
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      2⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4780
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      2⤵
                        PID:3720
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:60
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3836
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:404
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                          PID:3404
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                          2⤵
                            PID:4776
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                            2⤵
                              PID:4116
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                              2⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4760
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              2⤵
                                PID:4716
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2364
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2320
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:3728
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                2⤵
                                  PID:1128
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                  2⤵
                                    PID:3116
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3884
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                    2⤵
                                      PID:708
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                      2⤵
                                        PID:948
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3936
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                        2⤵
                                          PID:2736
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1304
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1384
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                          2⤵
                                            PID:4756
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            2⤵
                                              PID:1756
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2452
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              2⤵
                                                PID:2840
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                2⤵
                                                  PID:636
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2788
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4536
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  2⤵
                                                    PID:4952
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                    2⤵
                                                      PID:2868
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                      2⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3504
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                      2⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1552
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                      2⤵
                                                        PID:2240
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                        2⤵
                                                          PID:4220
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4020
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1364
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3608
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4576
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4120
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                          2⤵
                                                            PID:4856
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                            2⤵
                                                              PID:5088
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4424
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                              2⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:400
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                              2⤵
                                                                PID:3476
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                2⤵
                                                                  PID:908
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                                                  2⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2832
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                  2⤵
                                                                    PID:3888
                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                    2⤵
                                                                      PID:2648
                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                      2⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1028
                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                      2⤵
                                                                        PID:232
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                        2⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4400
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        2⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5096
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        2⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4736
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        2⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2028
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        2⤵
                                                                          PID:1192
                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                          2⤵
                                                                            PID:4640
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                            2⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2936
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                            2⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3392
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                            2⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2944
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                            2⤵
                                                                              PID:2604
                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                              2⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:3084
                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                              2⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1692
                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                              2⤵
                                                                                PID:2812
                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                2⤵
                                                                                  PID:1824
                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                  2⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1936
                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                  2⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3308
                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                  2⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:224

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • memory/1064-17-0x0000000005650000-0x00000000056B6000-memory.dmp

                                                                                Filesize

                                                                                408KB

                                                                                Download

                                                                              • memory/2424-15-0x0000000005400000-0x00000000059A4000-memory.dmp

                                                                                Filesize

                                                                                5.6MB

                                                                                Download

                                                                              • memory/2888-0-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                                Filesize

                                                                                264KB

                                                                                Download

                                                                              • memory/4424-75-0x00000000062E0000-0x0000000006330000-memory.dmp

                                                                                Filesize

                                                                                320KB

                                                                                Download

                                                                              • memory/4424-76-0x00000000063D0000-0x0000000006462000-memory.dmp

                                                                                Filesize

                                                                                584KB

                                                                                Download

                                                                              • memory/4424-77-0x0000000006360000-0x000000000636A000-memory.dmp

                                                                                Filesize

                                                                                40KB

                                                                                Download