phorphiex | f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cb

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-02-2025 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Size

2.0MB
MD5

ceb98b76d72157e11d2935221d38e5f0
SHA1

043051babc45144cdfe9a15f0d122b6708c4e78d
SHA256

f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cb
SHA512

911115790cdba8ea17553398edef3ced31538be90f64ba7c2cbca6f356dbbc0392fc57a4889a400553ca30d261036c59f3a2d6f562354693accd79a09e9e63c0
SSDEEP

49152:XPEpksGULjU7cAGVRHxOOonAjZPeDaAVDjzP/V/O:XcpkCfUIvVRjoSZCzVm

Score

10^/10

phorphiex discovery loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66

Signatures

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000195c5-80.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Downloads MZ/PE file 5 IoCs

flow	pid	Process
44	1056	41611544.exe
7	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
19	2800	4C2D.exe
21	1348	4C2E.exe
13	2740	E975.exe

Executes dropped EXE 40 IoCs

pid	Process
2740	E975.exe
2800	4C2D.exe
1348	4C2E.exe
2240	1454830656.exe
1320	208631454.exe
2296	sysnldcvmr.exe
2052	6317.exe
2424	359420404.exe
2768	7B77.exe
2116	7B86.exe
1856	138238118.exe
2120	193438219.exe
1056	41611544.exe
1460	93E7.exe
300	93F6.exe
2344	93E6.exe
1836	9405.exe
1628	443625487.exe
1556	1068928645.exe
3064	1075229053.exe
1920	2743930173.exe
3236	A786.exe
3288	A787.exe
3316	A7A6.exe
3336	A795.exe
3448	A7A5.exe
3480	A7A7.exe
3688	A785.exe
3744	A7B4.exe
3860	640512332.exe
3964	646812740.exe
4020	2012312894.exe
3428	2576913812.exe
3516	2315513861.exe
3648	1520915033.exe
3792	168015696.exe
3232	1836716816.exe
3668	477517071.exe
4084	1969016004.exe
3148	153431352.exe

Loads dropped DLL 57 IoCs

pid	Process
2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2772	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2740	E975.exe
2740	E975.exe
1348	4C2E.exe
1348	4C2E.exe
1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2052	6317.exe
2052	6317.exe
2844	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2140	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2768	7B77.exe
2768	7B77.exe
2116	7B86.exe
2116	7B86.exe
2296	sysnldcvmr.exe
2392	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
688	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1676	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1356	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1056	41611544.exe
1460	93E7.exe
1460	93E7.exe
300	93F6.exe
300	93F6.exe
1836	9405.exe
1836	9405.exe
580	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2556	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2692	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2964	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2664	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1528	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1996	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
2836	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
3236	A786.exe
3236	A786.exe
3288	A787.exe
3288	A787.exe
3316	A7A6.exe
3316	A7A6.exe
3336	A795.exe
3336	A795.exe
3448	A7A5.exe
3448	A7A5.exe
3480	A7A7.exe
3480	A7A7.exe
3688	A785.exe
3688	A785.exe
3744	A7B4.exe
3744	A7B4.exe
1056	41611544.exe
2344	93E6.exe
2344	93E6.exe
2800	4C2D.exe
2800	4C2D.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	1454830656.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	1454830656.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	1454830656.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1454830656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7B77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93F6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A7A6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4C2D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A7B4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A7A5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A786.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A785.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93E6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93E7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41611544.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4C2E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7B86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E975.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A7A7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9405.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A795.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe

Checks processor information in registry 2 TTPs 32 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2772	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2740	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	32
PID 2412 wrote to memory of 2740	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	32
PID 2412 wrote to memory of 2740	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	32
PID 2412 wrote to memory of 2740	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	32
PID 2412 wrote to memory of 2772	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	33
PID 2412 wrote to memory of 2772	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	33
PID 2412 wrote to memory of 2772	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	33
PID 2412 wrote to memory of 2772	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	33
PID 2412 wrote to memory of 1620	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	34
PID 2412 wrote to memory of 1620	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	34
PID 2412 wrote to memory of 1620	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	34
PID 2412 wrote to memory of 1620	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	34
PID 1620 wrote to memory of 1348	1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	35
PID 1620 wrote to memory of 1348	1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	35
PID 1620 wrote to memory of 1348	1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	35
PID 1620 wrote to memory of 1348	1620	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	35
PID 2772 wrote to memory of 2800	2772	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	36
PID 2772 wrote to memory of 2800	2772	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	36
PID 2772 wrote to memory of 2800	2772	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	36
PID 2772 wrote to memory of 2800	2772	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	36
PID 2740 wrote to memory of 2240	2740	E975.exe	38
PID 2740 wrote to memory of 2240	2740	E975.exe	38
PID 2740 wrote to memory of 2240	2740	E975.exe	38
PID 2740 wrote to memory of 2240	2740	E975.exe	38
PID 1348 wrote to memory of 1320	1348	4C2E.exe	39
PID 1348 wrote to memory of 1320	1348	4C2E.exe	39
PID 1348 wrote to memory of 1320	1348	4C2E.exe	39
PID 1348 wrote to memory of 1320	1348	4C2E.exe	39
PID 2240 wrote to memory of 2296	2240	1454830656.exe	41
PID 2240 wrote to memory of 2296	2240	1454830656.exe	41
PID 2240 wrote to memory of 2296	2240	1454830656.exe	41
PID 2240 wrote to memory of 2296	2240	1454830656.exe	41
PID 2412 wrote to memory of 1696	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	42
PID 2412 wrote to memory of 1696	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	42
PID 2412 wrote to memory of 1696	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	42
PID 2412 wrote to memory of 1696	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	42
PID 1696 wrote to memory of 2052	1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	43
PID 1696 wrote to memory of 2052	1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	43
PID 1696 wrote to memory of 2052	1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	43
PID 1696 wrote to memory of 2052	1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	43
PID 2052 wrote to memory of 2424	2052	6317.exe	44
PID 2052 wrote to memory of 2424	2052	6317.exe	44
PID 2052 wrote to memory of 2424	2052	6317.exe	44
PID 2052 wrote to memory of 2424	2052	6317.exe	44
PID 1696 wrote to memory of 2140	1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	45
PID 1696 wrote to memory of 2140	1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	45
PID 1696 wrote to memory of 2140	1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	45
PID 1696 wrote to memory of 2140	1696	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	45
PID 2412 wrote to memory of 2844	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	46
PID 2412 wrote to memory of 2844	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	46
PID 2412 wrote to memory of 2844	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	46
PID 2412 wrote to memory of 2844	2412	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	46
PID 2844 wrote to memory of 2116	2844	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	47
PID 2844 wrote to memory of 2116	2844	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	47
PID 2844 wrote to memory of 2116	2844	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	47
PID 2844 wrote to memory of 2116	2844	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	47
PID 2140 wrote to memory of 2768	2140	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	48
PID 2140 wrote to memory of 2768	2140	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	48
PID 2140 wrote to memory of 2768	2140	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	48
PID 2140 wrote to memory of 2768	2140	f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe	48
PID 2768 wrote to memory of 1856	2768	7B77.exe	50
PID 2768 wrote to memory of 1856	2768	7B77.exe	50
PID 2768 wrote to memory of 1856	2768	7B77.exe	50
PID 2768 wrote to memory of 1856	2768	7B77.exe	50

C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
"C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe"
1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\E975.exe
  "C:\Users\Admin\AppData\Local\Temp\E975.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\1454830656.exe
    C:\Users\Admin\AppData\Local\Temp\1454830656.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\41611544.exe
        
        C:\Users\Admin\AppData\Local\Temp\41611544.exe
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1056
      - C:\Users\Admin\AppData\Local\Temp\443625487.exe
        
        C:\Users\Admin\AppData\Local\Temp\443625487.exe
        6⤵
        Executes dropped EXE
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\477517071.exe
        
        C:\Users\Admin\AppData\Local\Temp\477517071.exe
        6⤵
        Executes dropped EXE
        
        PID:3668
- C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
  "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\4C2D.exe
    "C:\Users\Admin\AppData\Local\Temp\4C2D.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\153431352.exe
      C:\Users\Admin\AppData\Local\Temp\153431352.exe
      4⤵
      Executes dropped EXE
      PID:3148
- C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
  "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\4C2E.exe
    "C:\Users\Admin\AppData\Local\Temp\4C2E.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\208631454.exe
      C:\Users\Admin\AppData\Local\Temp\208631454.exe
      4⤵
      Executes dropped EXE
      PID:1320
- C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
  "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\6317.exe
    "C:\Users\Admin\AppData\Local\Temp\6317.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\359420404.exe
      C:\Users\Admin\AppData\Local\Temp\359420404.exe
      4⤵
      Executes dropped EXE
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
    "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\7B77.exe
      "C:\Users\Admin\AppData\Local\Temp\7B77.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\138238118.exe
        
        C:\Users\Admin\AppData\Local\Temp\138238118.exe
        5⤵
        Executes dropped EXE
        
        PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
      "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\93E6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\93E6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\1969016004.exe
        
        C:\Users\Admin\AppData\Local\Temp\1969016004.exe
        6⤵
        Executes dropped EXE
        
        PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2964
      - C:\Users\Admin\AppData\Local\Temp\A795.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A795.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\2576913812.exe
        
        C:\Users\Admin\AppData\Local\Temp\2576913812.exe
        7⤵
        Executes dropped EXE
        
        PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
      "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\A7A5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A7A5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3448
      - C:\Users\Admin\AppData\Local\Temp\2315513861.exe
        
        C:\Users\Admin\AppData\Local\Temp\2315513861.exe
        6⤵
        Executes dropped EXE
        
        PID:3516
- - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
    "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\93F6.exe
      "C:\Users\Admin\AppData\Local\Temp\93F6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:300
    - - C:\Users\Admin\AppData\Local\Temp\1075229053.exe
        
        C:\Users\Admin\AppData\Local\Temp\1075229053.exe
        5⤵
        Executes dropped EXE
        
        PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
      "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\A7B4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A7B4.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3744
      - C:\Users\Admin\AppData\Local\Temp\1836716816.exe
        
        C:\Users\Admin\AppData\Local\Temp\1836716816.exe
        6⤵
        Executes dropped EXE
        
        PID:3232
- - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
    "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\A787.exe
      "C:\Users\Admin\AppData\Local\Temp\A787.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3288
    - - C:\Users\Admin\AppData\Local\Temp\646812740.exe
        
        C:\Users\Admin\AppData\Local\Temp\646812740.exe
        5⤵
        Executes dropped EXE
        
        PID:3964
- C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
  "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\7B86.exe
    "C:\Users\Admin\AppData\Local\Temp\7B86.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\193438219.exe
      C:\Users\Admin\AppData\Local\Temp\193438219.exe
      4⤵
      Executes dropped EXE
      PID:2120
- - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
    "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\93E7.exe
      "C:\Users\Admin\AppData\Local\Temp\93E7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\1068928645.exe
        
        C:\Users\Admin\AppData\Local\Temp\1068928645.exe
        5⤵
        Executes dropped EXE
        
        PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
      "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:580
    - - C:\Users\Admin\AppData\Local\Temp\A786.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A786.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3236
      - C:\Users\Admin\AppData\Local\Temp\640512332.exe
        
        C:\Users\Admin\AppData\Local\Temp\640512332.exe
        6⤵
        Executes dropped EXE
        
        PID:3860
- - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
    "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\A7A6.exe
      "C:\Users\Admin\AppData\Local\Temp\A7A6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3316
    - - C:\Users\Admin\AppData\Local\Temp\2012312894.exe
        
        C:\Users\Admin\AppData\Local\Temp\2012312894.exe
        5⤵
        Executes dropped EXE
        
        PID:4020
- C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
  "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\9405.exe
    "C:\Users\Admin\AppData\Local\Temp\9405.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\2743930173.exe
      C:\Users\Admin\AppData\Local\Temp\2743930173.exe
      4⤵
      Executes dropped EXE
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
    "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\A785.exe
      "C:\Users\Admin\AppData\Local\Temp\A785.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3688
    - - C:\Users\Admin\AppData\Local\Temp\168015696.exe
        
        C:\Users\Admin\AppData\Local\Temp\168015696.exe
        5⤵
        Executes dropped EXE
        
        PID:3792
- C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe
  "C:\Users\Admin\AppData\Local\Temp\f7895aa8fa1b005a4f5593d38fb12acf4922c7533a8c5109317ce0f2708304cbN.exe" --frontend
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\A7A7.exe
    "C:\Users\Admin\AppData\Local\Temp\A7A7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\1520915033.exe
      C:\Users\Admin\AppData\Local\Temp\1520915033.exe
      4⤵
      Executes dropped EXE
      PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1454830656.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
23KB

MD5
8b7329d370ade020a3d5ead8749b7045

SHA1
b974dfaf24436f270a967801e79cfbfddd12c75c

SHA256
1765c0eceb13f593f7c450085cd51f1cee6ba39d8add4530ce2dc74352c37910

SHA512
333f4d3be7341cba7f0c211577aab9d5985ae6041e55b3898997b0803db5bc8330b27fb4817586ebbb4be9a773317af37f20c4152aab3a8f7e894324cfad1d63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
32KB

MD5
3bca715db3554a2046ebf69c7930b82b

SHA1
a279bb6a350c89aedfafe7cb91f537237c1fc994

SHA256
ae9e52c501defa07a140d39ef3dbca12e3586f9a28c9fcc741c86e79f27a2cc5

SHA512
d13e8175286897a3a31fa24c79cf29874535cec0adc93a0728a8e36f133d981d7ac87dc34dae3c7fdfaf67269bae1f18562c0f65e447e3803435ca9038916da6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
44KB

MD5
c651185e2f3a5f74dae28a9898b6af9a

SHA1
f003342761825b4192615281c5b8c17de8903e98

SHA256
3a13a951baae9ffdb5df9cca419b7ee2ea9a162b9dc15223c7b9b214dcf89d5c

SHA512
5bd6b07fd3d452c63d0fea2b3d1dbb98aafe9086c23917c050297c59fd8699785f4700a0b3bad6f76581a307ca47cd1e9d143176d81ce1c1dbd6f8e0f02ec9bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
47KB

MD5
b888d93410a40eed108479f80adf9a32

SHA1
94deb1ffd6eeac4929247f0685bf3e2457968ed5

SHA256
eae79bad5f7ebb0d0409879dab6ff8a28e05e04df3520401ed02528a57e7231c

SHA512
88986907e840f7116bcc72149c22394d2447f23d4f15b836b78f429f0b1a096114ab22621ba5bba95aa4e16b674a22aebbdb5931012dd420a920edda419bbdab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
4a7c4227d89da83bc4d41e1301abae05

SHA1
6bd469f5693d4b55286dc8396151ec3b81df4982

SHA256
503e2e550f9539bb41265ca75b874445ecbc38bcf86e6b450c4630e02ff38ab6

SHA512
224ccfb855a72cc755927cd9a7203e6d939f7052210d7ef66e3ec2f591de3a91425116da103c1b78618f756b9f163c2244b8893c00cb2cedb0cae5423251bf96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0a4fdc96232c7aefae84da10f9bec090

SHA1
303b1205a79cb1869a65bbff77d99dd726bb89b4

SHA256
263ffc6eaf90b61e85f357a41e632870704cbffc7c99ddb3a3e56fb4cee2a9c1

SHA512
c08fdaa024ff40a2fd507d5179942f12e35fe5f036eb70a838956e4f13e33d38358ca1839e96153a60680e841dfd26c85c8f2812dce64e60d81a33c9bf291c1c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
bb93b5aa9eef4b7f6f9e8f7e81cebea2

SHA1
4af00d6b3a7b6b8f00967bb2496caed28956c22b

SHA256
40bc3e1f1a3398023cbb602c89c15d026a388182de4cc1c25908730aab93db66

SHA512
4f5e54eb4d6907996f4cc368213dc4bcdba65b82527bf1c653b03dd283736c9d89cf7b52489220527621a8b8686fb1b39451ed00d7fac5a30b4ba86761c8334e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
132B

MD5
123c524682c9ff72ec7924efdb41b28c

SHA1
1e696d9f3e2bf149773186496c7ab9d5df35f9dd

SHA256
e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6

SHA512
676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6Z05PZGNO2XY0C3FGRIS.temp

Filesize
4KB

MD5
3db26bd141934c86c1e27a497187f717

SHA1
3340075dfdeb47edba087ac3c8c53f5589b64128

SHA256
021b06caffa37abfbb50823dd076463b25d2f7e87d5ac65960d5e2161cbc1372

SHA512
209cf8ca3ae7f02b92f6f0a4a1b9dd817c722484b5cbc00c9e24313fac605d068ac124625a5dde0c684764c3d5c763416d5ce18358940be96c836d2f8774a4e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
6d29d8bd238b8e14307413d6c10acf45

SHA1
dc1b5b256cfda4e0013ea6fae52576d083c446ad

SHA256
ff39f255874a29466f9344c910733be92cbddd4058bf11f14a00999440410f34

SHA512
ca1a940278b6646fadd61ac16282f6fe9484a51e4b5d47fe12a1182240a0f42423be5a98270cf3674391ca0e95673b70102bf255e5e2053f2d96c26f55abab57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
c04bd0de2da1a1c20b52bfabb29eb014

SHA1
e0488a1ed7f38e33bebe4d92920c5fad4204207f

SHA256
63f2642369af59e8053ab4aeb85be4a78840926638c972fa5395272472630cdc

SHA512
e948158103c4afc839f9dc326c24bb84e02e3784af16b82e05035640ab034b07e772dab7f06183d20f5ac320bcc7ca5dbad38e8359d39c2312edf2a2f94e78da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
5bd7968c511e5efeb5431b029c0ce611

SHA1
3cc4282543f0e319756a96bae77a5a295faadc5b

SHA256
c3f2e88c0e55581ad58547f34c4468ffe0fcfea585bb4a441433aff651111fb5

SHA512
1299af984709c4317775ea9678f5ea8d99d94e7f99e1936bf4b1ae53a0051cbec62291324caee083d646c927ba00b3eb4984148ae065be9ad8f8762756cf78ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
c6cecd4e56f1f4679723770d3b7e6628

SHA1
161160e55c4674052d29f3d2d7f384d0c78b5779

SHA256
a03e16e19f7ba3fcb11b3f335df449752a29aa06bc469ec8656320deadc3c814

SHA512
0425fe642e24cbfbcf9382c5d1d1c4cf46d6040ec544cd3f2c000373383e72ed5f5fa8aa7bf6e77f0ac12db6e4bb9281d4d22f91100fc2df58f9ddd128737be3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SOTWS7UJMZLJO14OG4UN.temp

Filesize
4KB

MD5
8362cde25e43504c57044b3425645c2d

SHA1
19062a97b65a4b06ed318cf49bf2a0f266ed80c3

SHA256
29211cb495ba442c04724f0aa5d47a1a1e19087fc18eaa3f12629a197146417c

SHA512
edadc8f32037e87ad8845e02600f116cca44a9544f5cf64946c62284b1faef2dbd7aad39cae3946698e7f55e0ae8e47e327f6cf4124b7980520ad2e953665d00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V51XGKR7QQBDIAL1S7GG.temp

Filesize
4KB

MD5
00a464538bdf5e3b998dacc2ee4a8963

SHA1
b8980795d12743d9f1d8d57be47558cbf090ff00

SHA256
a49bfc360db954c6153db17f5b6525d468f1c952b69da4d1ad6b979ce2ce6318

SHA512
79907e89b9ee74eb0ffdb57ba6257873a13cb3e2e8d61df4f5fcf31c4c64acba8b3d212659a4936dd46b8744eb6657518ce7a146131c22da58424f7124f5e53c

Download Submit
\Users\Admin\AppData\Local\Temp\41611544.exe

Filesize
14KB

MD5
c0a7393e77b025643047012b5e08509c

SHA1
1e876d036c59f1d3340292357ad9619e13e37e31

SHA256
c764dcdd16ec3b7bcbef1a45db4ef60305541779cd95bff01c16427ee941b44b

SHA512
f9937e8265990ce36f8f6c879680ec166f9ec9233d601e761f06cff8b2ebaa23e5e1336233d60430208ae95d6c8b94b369e9c1ae2c4bbd7cfbc9a1f738d01dbe

Download Submit
\Users\Admin\AppData\Local\Temp\E975.exe

Filesize
10KB

MD5
8ce09f13942ab5bcb81b175996c8385f

SHA1
6fa685d66ac5fff4e9d984dc1903c47a1a6b6cbd

SHA256
757bf8be40693456e7cdee5c53416d1cb223da5f7d0b9d55f4aca95f6a57605d

SHA512
11ae4651b3dd55355b2cb7bf2f6b042dea47bb895f898d967d63ee652652c633cc5becf31cb2fd7f8797b238b264195d09d4e08211b797eae29e2a7bb31b277f

Download Submit
memory/580-554-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/688-548-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/1356-547-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/1528-557-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/1620-147-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/1620-41-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/1676-545-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/1696-110-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/1696-221-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/1996-553-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2140-341-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2392-546-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2412-12-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2412-8-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2412-94-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2412-10-0x0000000000404000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/2412-143-0x0000000000404000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/2556-556-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2664-560-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2692-555-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2772-322-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2772-549-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2772-45-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2772-146-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2836-559-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2844-342-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download
memory/2964-558-0x0000000000400000-0x0000000000C77DA0-memory.dmp

Filesize
8.5MB

Download