Overview

overview

10

Static

static

3

Order conf...25.exe

windows7-x64

10

Order conf...25.exe

windows10-2004-x64

10

Qt5Core.dll

windows7-x64

10

Qt5Core.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order confirmation for PO 7UH2025.exe

  • Size

    549KB

  • MD5

    f61aec6b837c52490e5af74f2558decd

  • SHA1

    90d0c4a77384dcfb04b27f66a889e8bb627ff06c

  • SHA256

    9c0ad5329e00794b6b9591cf7f4f633cd2d0e3d1209d50b99cb48838fe63b79a

  • SHA512

    c8cadeef5cf02efbfa34df770063a78b82ff2ca5280bb0b47f85e41e9609c3978ec88cc4ddb6cf2fc7fbbad0547215ef3c61f7721e1c66315061ec2ee8ec17fd

  • SSDEEP

    12288:2pzQijkXRZXMnWJsGQkHgQ0cNrSdSG774u4U4U4U+H0U4H0U4UjU+J4J4H4f4D4z:kciwXvXrQkHg8NrSdSG779LLLS/o/L49

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.transotraval.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    vIZ2P]dt&a!d

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order confirmation for PO 7UH2025.exe
    "C:\Users\Admin\AppData\Local\Temp\Order confirmation for PO 7UH2025.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2752
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2848
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1972
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2456
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2504
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:344
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3060
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:356
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:1716
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1884
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2860
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
          PID:1524
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1116
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          2⤵
            PID:1320
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1496
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1736
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1704
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
              PID:1192
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              2⤵
                PID:2568
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                2⤵
                  PID:2720
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  2⤵
                    PID:2948
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    2⤵
                      PID:2536
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      2⤵
                        PID:1640
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        2⤵
                          PID:1412
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                          2⤵
                            PID:2828
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1920
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1664
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:2684
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:2152
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:1288
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            PID:2980
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            2⤵
                              PID:1680
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                              2⤵
                                PID:752
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                2⤵
                                  PID:112
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1692
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1300
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2864
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2404
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2756
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2576
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2772
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2924
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2800
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                  2⤵
                                    PID:2940
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                    2⤵
                                      PID:1052
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                      2⤵
                                        PID:2572
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2096
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                        2⤵
                                          PID:2296
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                          2⤵
                                            PID:748
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            2⤵
                                              PID:772
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              2⤵
                                                PID:2544
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                2⤵
                                                  PID:2888
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  2⤵
                                                    PID:2768
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2612
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                    2⤵
                                                      PID:2628
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                      2⤵
                                                        PID:2584
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1016
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1848
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1080
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:348
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:992
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2364
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2676
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2316
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:340
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2136
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:904
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                        2⤵
                                                          PID:2476
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                          2⤵
                                                            PID:2852
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                            2⤵
                                                              PID:2512
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                              2⤵
                                                                PID:272
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                2⤵
                                                                  PID:2212
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                  2⤵
                                                                    PID:2140
                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                    2⤵
                                                                      PID:2680
                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                      2⤵
                                                                        PID:2740
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        2⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2188
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        2⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2024
                                                                      • C:\Windows\system32\WerFault.exe
                                                                        C:\Windows\system32\WerFault.exe -u -p 2552 -s 888
                                                                        2⤵
                                                                          PID:1648

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • memory/2588-1-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                        Filesize

                                                                        264KB

                                                                        Download

                                                                      • memory/2588-10-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                        Filesize

                                                                        264KB

                                                                        Download

                                                                      • memory/2588-0-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                        Filesize

                                                                        264KB

                                                                        Download

                                                                      • memory/2588-8-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                        Filesize

                                                                        264KB

                                                                        Download

                                                                      • memory/2588-15-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                        Filesize

                                                                        264KB

                                                                        Download

                                                                      • memory/2752-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/2752-11-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                        Filesize

                                                                        264KB

                                                                        Download

                                                                      • memory/2752-9-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                        Filesize

                                                                        264KB

                                                                        Download