038819e56f3acc6b043d2c44d7eb8c55b9fd5f9db67d89df07ebc3d8eab5411b

Analysis

max time kernel
22s
max time network
51s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TestDD.exe
Size

140.5MB
MD5

8b6cd0525dfd43863b71ce7b998a89a6
SHA1

2c1ab496f8ea81315f18042c8f23bed17ce999fa
SHA256

038819e56f3acc6b043d2c44d7eb8c55b9fd5f9db67d89df07ebc3d8eab5411b
SHA512

8eec6b57043111d1e6a02ad4d8d560a48f30055f9a9c6c4ab5788134724bb3246c68f0a2a076a8d510621873e103f0cf42a2d2fd4413e9be607b318eabfc39cf
SSDEEP

1572864:jJurcMWsO2ZB0ax8triD1Ss2t23l2DXbfD25cGGH:jMrwdt74Sv8cba9s

Score

8^/10

defense_evasion discovery persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RestoreTaskManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TestDD.exe /restore"	TestDD.exe

Sets desktop wallpaper using registry 2 TTPs 35 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tempWallpaper.jpg"	TestDD.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestDD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 2248	4384	cmd.exe	84
PID 4384 wrote to memory of 2248	4384	cmd.exe	84
PID 4384 wrote to memory of 2248	4384	cmd.exe	84
PID 336 wrote to memory of 2360	336	cmd.exe	87
PID 336 wrote to memory of 2360	336	cmd.exe	87
PID 336 wrote to memory of 2360	336	cmd.exe	87
PID 5692 wrote to memory of 4640	5692	cmd.exe	90
PID 5692 wrote to memory of 4640	5692	cmd.exe	90
PID 5692 wrote to memory of 4640	5692	cmd.exe	90
PID 4832 wrote to memory of 4904	4832	cmd.exe	93
PID 4832 wrote to memory of 4904	4832	cmd.exe	93
PID 4832 wrote to memory of 4904	4832	cmd.exe	93
PID 4912 wrote to memory of 1944	4912	cmd.exe	96
PID 4912 wrote to memory of 1944	4912	cmd.exe	96
PID 4912 wrote to memory of 1944	4912	cmd.exe	96
PID 2496 wrote to memory of 3656	2496	cmd.exe	99
PID 2496 wrote to memory of 3656	2496	cmd.exe	99
PID 2496 wrote to memory of 3656	2496	cmd.exe	99
PID 3704 wrote to memory of 1132	3704	cmd.exe	102
PID 3704 wrote to memory of 1132	3704	cmd.exe	102
PID 3704 wrote to memory of 1132	3704	cmd.exe	102
PID 3460 wrote to memory of 5164	3460	cmd.exe	105
PID 3460 wrote to memory of 5164	3460	cmd.exe	105
PID 3460 wrote to memory of 5164	3460	cmd.exe	105
PID 1608 wrote to memory of 3668	1608	cmd.exe	108
PID 1608 wrote to memory of 3668	1608	cmd.exe	108
PID 1608 wrote to memory of 3668	1608	cmd.exe	108
PID 764 wrote to memory of 2304	764	cmd.exe	111
PID 764 wrote to memory of 2304	764	cmd.exe	111
PID 764 wrote to memory of 2304	764	cmd.exe	111
PID 2664 wrote to memory of 2832	2664	cmd.exe	114
PID 2664 wrote to memory of 2832	2664	cmd.exe	114
PID 2664 wrote to memory of 2832	2664	cmd.exe	114
PID 4860 wrote to memory of 1196	4860	cmd.exe	117
PID 4860 wrote to memory of 1196	4860	cmd.exe	117
PID 4860 wrote to memory of 1196	4860	cmd.exe	117
PID 3996 wrote to memory of 5464	3996	cmd.exe	120
PID 3996 wrote to memory of 5464	3996	cmd.exe	120
PID 3996 wrote to memory of 5464	3996	cmd.exe	120
PID 5828 wrote to memory of 2580	5828	cmd.exe	123
PID 5828 wrote to memory of 2580	5828	cmd.exe	123
PID 5828 wrote to memory of 2580	5828	cmd.exe	123
PID 1972 wrote to memory of 1816	1972	cmd.exe	126
PID 1972 wrote to memory of 1816	1972	cmd.exe	126
PID 1972 wrote to memory of 1816	1972	cmd.exe	126
PID 1260 wrote to memory of 6096	1260	cmd.exe	129
PID 1260 wrote to memory of 6096	1260	cmd.exe	129
PID 1260 wrote to memory of 6096	1260	cmd.exe	129
PID 3868 wrote to memory of 2440	3868	cmd.exe	132
PID 3868 wrote to memory of 2440	3868	cmd.exe	132
PID 3868 wrote to memory of 2440	3868	cmd.exe	132
PID 5628 wrote to memory of 3844	5628	cmd.exe	135
PID 5628 wrote to memory of 3844	5628	cmd.exe	135
PID 5628 wrote to memory of 3844	5628	cmd.exe	135
PID 6128 wrote to memory of 1428	6128	cmd.exe	138
PID 6128 wrote to memory of 1428	6128	cmd.exe	138
PID 6128 wrote to memory of 1428	6128	cmd.exe	138
PID 3200 wrote to memory of 5508	3200	cmd.exe	141
PID 3200 wrote to memory of 5508	3200	cmd.exe	141
PID 3200 wrote to memory of 5508	3200	cmd.exe	141
PID 4336 wrote to memory of 4520	4336	cmd.exe	144
PID 4336 wrote to memory of 4520	4336	cmd.exe	144
PID 4336 wrote to memory of 4520	4336	cmd.exe	144
PID 2180 wrote to memory of 4796	2180	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\TestDD.exe
"C:\Users\Admin\AppData\Local\Temp\TestDD.exe"
1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:5692
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:5828
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:5628
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:6128
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:4504
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:6152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:6240
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:6292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:6360
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:6496
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:6632
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:6772
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:6928
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7064
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:7140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:6912
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7196
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:7260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7356
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:7492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7584
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:7724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7796
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:7888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7948
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:7992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:8048
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:8176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7320
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:8032
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:7928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:8228
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:8300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:8416
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:8592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:8648
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:8720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:8780
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:8852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:8920
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:9020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:9076
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:9156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7884
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:8988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:7084
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:8632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:8500
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:9240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:9300
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:9372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:9440
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:9540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:9600
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:9680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:9752
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:9840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:9904
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:10084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:10144
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:9228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:9528
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:10076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:10072
- C:\Users\Admin\AppData\Local\Temp\TestDD.exe
  C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
  2⤵
  PID:10300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TestDD.exe /restore
1⤵
PID:10360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kiiwiifb.3g4

Filesize
474B

MD5
46f522c77d1a514703a7fed0015fc623

SHA1
ed22f0a5884ff7445f4e171e1e49e0af608e0fda

SHA256
240098e7033b5f20c8c5936ecb68cc1049f1ecc34af536995b52a93175249150

SHA512
09aec723bf6f79c3926300c64b9b70f67d7190fcb75d53b32ffd2d4803515dabb014cab50cf2924a366c0c73ac2187c4a393790cdf3d4b989146f6b310d3c90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempWallpaper.jpg

Filesize
184KB

MD5
5fa6c71549660141c40c8dd2d669f84f

SHA1
aa118a0483d33a73ccb4816fde2c2ff8825bba6b

SHA256
ee354b74a291e5ec1cb69a62d97d79386d254cd571bf031b62519b314c209409

SHA512
e029c5be1b0de1e3f6e267c37f550b7f1698c9f855ff9649a2a43866f1926c94f1ed09aebd4e898490a7d75773e85b6ba09a7a296b800f67cd88833ae291f065

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempWallpaper.jpg

Filesize
128KB

MD5
85acea9ec9d1b6527a0014abefaa341a

SHA1
82dced34aa125802f71319387112aa74081bec22

SHA256
2fc113f9ebe7c65954fd917e039ab9d95534aa284c67f73bce5a9f464b422534

SHA512
09d47e64b7cb4abc5ffab63a0396e7c578dc7f64d6d59827373ecb5104398a719c2b27a131d1f07dc70f390b69786408e9bd6f3def99cf7726c1790be973501d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempWallpaper.jpg

Filesize
64KB

MD5
3785d5949ea908c66350a28cb794d5cc

SHA1
d05de6ec5b5a2a4b152063fe082f8e49cd5fc876

SHA256
9933c2fe109341b3a1f16abb0f3118915748bdb2fc729ae5172ae135119ae2ff

SHA512
d415ea3f5ed2200cd36911b31be9826ff6295430d5ff8943ed5b560810989a035d10228c67eef12d1a2f442b53255368fd0e630b4d0a6a44676055d402fb6b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempWallpaper.jpg

Filesize
112B

MD5
731733c5bcc86008c25fb051918dff39

SHA1
c28d9f1958082150adaed960bfc270ccc32d4d61

SHA256
fa8ef2d209a4cfbe34a70d76303e23f5679e29fc0e143fd945cb8195b1036414

SHA512
11cf52616910fc75b057f668d05ef9d7be9421f755cf3f3ef5ad4582d8474793aaf7f5b3f68691532f2a03e0edc8194b586bea7a84c104babf9613dc5175c86d

Download Submit
memory/756-224-0x000000000ED51000-0x000000000ED53000-memory.dmp

Filesize
8KB

Download
memory/1196-74-0x000000000EF31000-0x000000000EF33000-memory.dmp

Filesize
8KB

Download
memory/1428-116-0x000000000F141000-0x000000000F143000-memory.dmp

Filesize
8KB

Download
memory/1944-32-0x000000000EF21000-0x000000000EF23000-memory.dmp

Filesize
8KB

Download
memory/2248-8-0x000000000ED11000-0x000000000ED13000-memory.dmp

Filesize
8KB

Download
memory/2360-14-0x000000000EE51000-0x000000000EE53000-memory.dmp

Filesize
8KB

Download
memory/2580-86-0x000000000ECB1000-0x000000000ECB3000-memory.dmp

Filesize
8KB

Download
memory/2832-68-0x000000000C5F1000-0x000000000C5F3000-memory.dmp

Filesize
8KB

Download
memory/3372-146-0x000000000EF91000-0x000000000EF93000-memory.dmp

Filesize
8KB

Download
memory/3668-59-0x000000000EC81000-0x000000000EC83000-memory.dmp

Filesize
8KB

Download
memory/3720-6-0x000000000EE81000-0x000000000EE83000-memory.dmp

Filesize
8KB

Download
memory/4052-161-0x000000000EAE1000-0x000000000EAE3000-memory.dmp

Filesize
8KB

Download
memory/4352-266-0x000000000F201000-0x000000000F203000-memory.dmp

Filesize
8KB

Download
memory/4640-20-0x000000000EE11000-0x000000000EE13000-memory.dmp

Filesize
8KB

Download
memory/4656-140-0x000000000EF01000-0x000000000EF03000-memory.dmp

Filesize
8KB

Download
memory/4796-134-0x000000000EE41000-0x000000000EE43000-memory.dmp

Filesize
8KB

Download
memory/4904-26-0x000000000F1D1000-0x000000000F1D3000-memory.dmp

Filesize
8KB

Download
memory/5444-152-0x000000000EBD1000-0x000000000EBD3000-memory.dmp

Filesize
8KB

Download
memory/5464-80-0x000000000E8A1000-0x000000000E8A3000-memory.dmp

Filesize
8KB

Download
memory/6152-173-0x000000000F0C1000-0x000000000F0C3000-memory.dmp

Filesize
8KB

Download
memory/6292-179-0x000000000EF11000-0x000000000EF13000-memory.dmp

Filesize
8KB

Download
memory/6516-221-0x000000000EA51000-0x000000000EA53000-memory.dmp

Filesize
8KB

Download
memory/6556-191-0x000000000EF51000-0x000000000EF53000-memory.dmp

Filesize
8KB

Download
memory/7724-242-0x000000000ED01000-0x000000000ED03000-memory.dmp

Filesize
8KB

Download
memory/7888-251-0x000000000F001000-0x000000000F003000-memory.dmp

Filesize
8KB

Download
memory/8176-260-0x000000000EFA1000-0x000000000EFA3000-memory.dmp

Filesize
8KB

Download
memory/8852-296-0x000000000E8E1000-0x000000000E8E3000-memory.dmp

Filesize
8KB

Download
memory/9156-308-0x000000000EE21000-0x000000000EE23000-memory.dmp

Filesize
8KB

Download
memory/9228-368-0x000000000EBB1000-0x000000000EBB3000-memory.dmp

Filesize
8KB

Download
memory/9240-332-0x000000000EBE1000-0x000000000EBE3000-memory.dmp

Filesize
8KB

Download
memory/9840-356-0x000000000F211000-0x000000000F213000-memory.dmp

Filesize
8KB

Download
memory/10084-362-0x000000000EC41000-0x000000000EC43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads