formbook | 4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d

General

Target

SCAN-QMJ201706001-1.exe
Size

786KB
MD5

b2e7062ed44ea9c304b37aef08db9146
SHA1

ef390643049a6add921de66f3be36224a93f41a0
SHA256

4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
SHA512

b879b89ebc2ed55abdb64afcf81ec5fbb1205f0dc9a5a859c161c2687b168703754111141a682badc84f17962f92dafc50e949aed8eabd80b0e3d59beab367a3

Score

10^/10

evasion trojan spyware stealer formbook persistence

Malware Config

Signatures

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

SCAN-QMJ201706001-1.exechkdsk.exeSCAN-QMJ201706001-1.execscript.exeSCAN-QMJ201706001-1.execmstp.exeSCAN-QMJ201706001-1.exenetsh.exeSCAN-QMJ201706001-1.exemsdt.exeSCAN-QMJ201706001-1.exeNETSTAT.EXESCAN-QMJ201706001-1.exesvchost.exeSCAN-QMJ201706001-1.exemsdt.exeSCAN-QMJ201706001-1.exenetsh.exeSCAN-QMJ201706001-1.exesystray.exeSCAN-QMJ201706001-1.execscript.exeSCAN-QMJ201706001-1.exeipconfig.exeSCAN-QMJ201706001-1.exewscript.exeSCAN-QMJ201706001-1.exerundll32.exeSCAN-QMJ201706001-1.exe

description	pid	process
Token: SeDebugPrivilege	1468	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	992	chkdsk.exe
Token: SeDebugPrivilege	1628	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1512	cscript.exe
Token: SeDebugPrivilege	1796	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1832	cmstp.exe
Token: SeDebugPrivilege	1128	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1620	netsh.exe
Token: SeDebugPrivilege	268	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1068	msdt.exe
Token: SeDebugPrivilege	1476	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	788	NETSTAT.EXE
Token: SeDebugPrivilege	1524	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1460	svchost.exe
Token: SeDebugPrivilege	1792	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1880	msdt.exe
Token: SeDebugPrivilege	1720	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1556	netsh.exe
Token: SeDebugPrivilege	1176	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1624	systray.exe
Token: SeDebugPrivilege	1868	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	976	cscript.exe
Token: SeDebugPrivilege	1440	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1864	ipconfig.exe
Token: SeDebugPrivilege	296	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1780	wscript.exe
Token: SeDebugPrivilege	1760	SCAN-QMJ201706001-1.exe
Token: SeDebugPrivilege	1908	rundll32.exe
Token: SeDebugPrivilege	2028	SCAN-QMJ201706001-1.exe

Drops file in Program Files directory 1 IoCs

Processes:

chkdsk.exe

description ioc process

File opened for modification C:\Program Files (x86)\Mtnrh0rup\regsvcllm8q.exe chkdsk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mtnrh0rup\regsvcllm8q.exe	chkdsk.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	chkdsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TTWTKH7HOFR = "C:\\Program Files (x86)\\Mtnrh0rup\\regsvcllm8q.exe"	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 905 IoCs

Processes:

SCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exechkdsk.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exe

pid	process
1412	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1468	SCAN-QMJ201706001-1.exe
1468	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1540	SCAN-QMJ201706001-1.exe
1592	SCAN-QMJ201706001-1.exe
992	chkdsk.exe
992	chkdsk.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1628	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1628	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe
1032	SCAN-QMJ201706001-1.exe

Suspicious use of WriteProcessMemory 247 IoCs

Processes:

SCAN-QMJ201706001-1.exeExplorer.EXESCAN-QMJ201706001-1.exechkdsk.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exe

description	pid	process	target process
PID 1412 wrote to memory of 1468	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1412 wrote to memory of 1468	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1412 wrote to memory of 1468	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1412 wrote to memory of 1468	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1412 wrote to memory of 1540	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1412 wrote to memory of 1540	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1412 wrote to memory of 1540	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1412 wrote to memory of 1540	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1212 wrote to memory of 992	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 992	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 992	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 992	1212	Explorer.EXE	chkdsk.exe
PID 1540 wrote to memory of 1592	1540	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1540 wrote to memory of 1592	1540	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1540 wrote to memory of 1592	1540	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1540 wrote to memory of 1592	1540	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 992 wrote to memory of 736	992	chkdsk.exe	cmd.exe
PID 992 wrote to memory of 736	992	chkdsk.exe	cmd.exe
PID 992 wrote to memory of 736	992	chkdsk.exe	cmd.exe
PID 992 wrote to memory of 736	992	chkdsk.exe	cmd.exe
PID 1592 wrote to memory of 1628	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1592 wrote to memory of 1628	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1592 wrote to memory of 1628	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1592 wrote to memory of 1628	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1592 wrote to memory of 1032	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1592 wrote to memory of 1032	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1592 wrote to memory of 1032	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1592 wrote to memory of 1032	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1212 wrote to memory of 1512	1212	Explorer.EXE	cscript.exe
PID 1212 wrote to memory of 1512	1212	Explorer.EXE	cscript.exe
PID 1212 wrote to memory of 1512	1212	Explorer.EXE	cscript.exe
PID 1212 wrote to memory of 1512	1212	Explorer.EXE	cscript.exe
PID 1032 wrote to memory of 1684	1032	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1032 wrote to memory of 1684	1032	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1032 wrote to memory of 1684	1032	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1032 wrote to memory of 1684	1032	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1684 wrote to memory of 1796	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1684 wrote to memory of 1796	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1684 wrote to memory of 1796	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1684 wrote to memory of 1796	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1684 wrote to memory of 1804	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1684 wrote to memory of 1804	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1684 wrote to memory of 1804	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1684 wrote to memory of 1804	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1212 wrote to memory of 1832	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1832	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1832	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1832	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1832	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1832	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1832	1212	Explorer.EXE	cmstp.exe
PID 1804 wrote to memory of 1840	1804	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1804 wrote to memory of 1840	1804	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1804 wrote to memory of 1840	1804	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1804 wrote to memory of 1840	1804	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1840 wrote to memory of 1128	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1840 wrote to memory of 1128	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1840 wrote to memory of 1128	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1840 wrote to memory of 1128	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1840 wrote to memory of 1776	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1840 wrote to memory of 1776	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1840 wrote to memory of 1776	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1840 wrote to memory of 1776	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1212 wrote to memory of 1620	1212	Explorer.EXE	netsh.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

chkdsk.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	chkdsk.exe

Suspicious behavior: MapViewOfSection 67 IoCs

Processes:

SCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exechkdsk.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exe

pid	process
1412	SCAN-QMJ201706001-1.exe
1468	SCAN-QMJ201706001-1.exe
1468	SCAN-QMJ201706001-1.exe
1468	SCAN-QMJ201706001-1.exe
992	chkdsk.exe
1592	SCAN-QMJ201706001-1.exe
1628	SCAN-QMJ201706001-1.exe
992	chkdsk.exe
1628	SCAN-QMJ201706001-1.exe
1628	SCAN-QMJ201706001-1.exe
1684	SCAN-QMJ201706001-1.exe
1796	SCAN-QMJ201706001-1.exe
1796	SCAN-QMJ201706001-1.exe
1796	SCAN-QMJ201706001-1.exe
1840	SCAN-QMJ201706001-1.exe
1128	SCAN-QMJ201706001-1.exe
1128	SCAN-QMJ201706001-1.exe
1128	SCAN-QMJ201706001-1.exe
1128	SCAN-QMJ201706001-1.exe
1580	SCAN-QMJ201706001-1.exe
268	SCAN-QMJ201706001-1.exe
992	chkdsk.exe
268	SCAN-QMJ201706001-1.exe
268	SCAN-QMJ201706001-1.exe
992	chkdsk.exe
1140	SCAN-QMJ201706001-1.exe
1476	SCAN-QMJ201706001-1.exe
1476	SCAN-QMJ201706001-1.exe
1476	SCAN-QMJ201706001-1.exe
1476	SCAN-QMJ201706001-1.exe
1052	SCAN-QMJ201706001-1.exe
1524	SCAN-QMJ201706001-1.exe
1524	SCAN-QMJ201706001-1.exe
1524	SCAN-QMJ201706001-1.exe
1524	SCAN-QMJ201706001-1.exe
1392	SCAN-QMJ201706001-1.exe
1792	SCAN-QMJ201706001-1.exe
1792	SCAN-QMJ201706001-1.exe
1792	SCAN-QMJ201706001-1.exe
1840	SCAN-QMJ201706001-1.exe
1720	SCAN-QMJ201706001-1.exe
1720	SCAN-QMJ201706001-1.exe
1720	SCAN-QMJ201706001-1.exe
1720	SCAN-QMJ201706001-1.exe
568	SCAN-QMJ201706001-1.exe
1176	SCAN-QMJ201706001-1.exe
1176	SCAN-QMJ201706001-1.exe
1176	SCAN-QMJ201706001-1.exe
1576	SCAN-QMJ201706001-1.exe
1868	SCAN-QMJ201706001-1.exe
1868	SCAN-QMJ201706001-1.exe
1868	SCAN-QMJ201706001-1.exe
1200	SCAN-QMJ201706001-1.exe
1440	SCAN-QMJ201706001-1.exe
1440	SCAN-QMJ201706001-1.exe
1440	SCAN-QMJ201706001-1.exe
1688	SCAN-QMJ201706001-1.exe
296	SCAN-QMJ201706001-1.exe
296	SCAN-QMJ201706001-1.exe
296	SCAN-QMJ201706001-1.exe
1788	SCAN-QMJ201706001-1.exe
1760	SCAN-QMJ201706001-1.exe
1760	SCAN-QMJ201706001-1.exe
1760	SCAN-QMJ201706001-1.exe

Suspicious use of SetThreadContext 36 IoCs

Processes:

SCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exechkdsk.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exe

description	pid	process	target process
PID 1412 set thread context of 1468	1412	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1468 set thread context of 1212	1468	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1592 set thread context of 1628	1592	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1628 set thread context of 1212	1628	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 992 set thread context of 1212	992	chkdsk.exe	Explorer.EXE
PID 1684 set thread context of 1796	1684	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1796 set thread context of 1212	1796	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1840 set thread context of 1128	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1128 set thread context of 1212	1128	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1128 set thread context of 1212	1128	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1580 set thread context of 268	1580	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 268 set thread context of 1212	268	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1140 set thread context of 1476	1140	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1476 set thread context of 1212	1476	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1476 set thread context of 1212	1476	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1052 set thread context of 1524	1052	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1524 set thread context of 1212	1524	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1524 set thread context of 1212	1524	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1392 set thread context of 1792	1392	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1792 set thread context of 1212	1792	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1840 set thread context of 1720	1840	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1720 set thread context of 1212	1720	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1720 set thread context of 1212	1720	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 568 set thread context of 1176	568	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1176 set thread context of 1212	1176	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1576 set thread context of 1868	1576	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1868 set thread context of 1212	1868	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1200 set thread context of 1440	1200	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1440 set thread context of 1212	1440	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1688 set thread context of 296	1688	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 296 set thread context of 1212	296	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1788 set thread context of 1760	1788	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1760 set thread context of 1212	1760	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 2044 set thread context of 2028	2044	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2028 set thread context of 1212	2028	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 2028 set thread context of 1212	2028	SCAN-QMJ201706001-1.exe	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
PID:1212

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1412

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1468

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1468 91369
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1592

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1628

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1628 99029
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
6⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1684

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1796

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1796 106595
7⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
8⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1840

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1128

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1128 114426
9⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1580

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:268

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 268 128170
11⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1140

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1476

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1476 135767
13⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1052

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1524

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1524 149760
15⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1392

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1792

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1792 163894
17⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1840

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1720

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1720 171819
19⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
20⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:568

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1176

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1176 188776
21⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
22⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1576

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1868

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1868 196686
23⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
24⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1200

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1440

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1440 204392
25⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
26⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1688

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:296

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 296 211911
27⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
28⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1788

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1760

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1760 219446
29⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
30⤵
- Suspicious use of SetThreadContext
PID:2044

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2028

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 2028 226981
31⤵
PID:1584

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Adds Run entry to policy start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:992

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
3⤵
PID:736

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1780

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2016

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:616

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:812

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:652

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2024

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1356

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1540

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1412

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:304

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1448

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1096

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:780

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:272

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1048

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1052

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\-823QC40\-82logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\-823QC40\-82logrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\-823QC40\-82logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\-823QC40\-82logrv.ini

Download Submit
memory/268-27-0x000000000041E2A0-mapping.dmp

Download
memory/296-88-0x000000000041E2A0-mapping.dmp

Download
memory/540-35-0x0000000000000000-mapping.dmp

Download
memory/540-39-0x000000013F690000-0x000000013F723000-memory.dmp

Filesize
588KB

Download
memory/556-28-0x0000000000000000-mapping.dmp

Download
memory/556-70-0x0000000000000000-mapping.dmp

Download
memory/568-67-0x0000000000000000-mapping.dmp

Download
memory/736-6-0x0000000000000000-mapping.dmp

Download
memory/788-43-0x00000000008A0000-0x00000000008A9000-memory.dmp

Filesize
36KB

Download
memory/788-41-0x0000000000000000-mapping.dmp

Download
memory/976-79-0x00000000001E0000-0x0000000000202000-memory.dmp

Filesize
136KB

Download
memory/976-78-0x0000000000000000-mapping.dmp

Download
memory/992-10-0x0000000001F80000-0x00000000020E5000-memory.dmp

Filesize
1.4MB

Download
memory/992-34-0x0000000003AD0000-0x0000000003BEE000-memory.dmp

Filesize
1.1MB

Download
memory/992-30-0x0000000076EB0000-0x0000000076FCD000-memory.dmp

Filesize
1.1MB

Download
memory/992-29-0x0000000075640000-0x000000007564C000-memory.dmp

Filesize
48KB

Download
memory/992-5-0x0000000000A10000-0x0000000000A17000-memory.dmp

Filesize
28KB

Download
memory/992-3-0x0000000000000000-mapping.dmp

Download
memory/1028-83-0x0000000000000000-mapping.dmp

Download
memory/1032-9-0x0000000000000000-mapping.dmp

Download
memory/1052-42-0x0000000000000000-mapping.dmp

Download
memory/1068-31-0x0000000000000000-mapping.dmp

Download
memory/1068-33-0x0000000000280000-0x0000000000374000-memory.dmp

Filesize
976KB

Download
memory/1128-21-0x000000000041E2A0-mapping.dmp

Download
memory/1140-32-0x0000000000000000-mapping.dmp

Download
memory/1176-69-0x000000000041E2A0-mapping.dmp

Download
memory/1200-80-0x0000000000000000-mapping.dmp

Download
memory/1212-40-0x0000000007C60000-0x0000000007D16000-memory.dmp

Filesize
728KB

Download
memory/1212-64-0x0000000008770000-0x00000000088C0000-memory.dmp

Filesize
1.3MB

Download
memory/1212-51-0x0000000008430000-0x00000000085D1000-memory.dmp

Filesize
1.6MB

Download
memory/1212-71-0x00000000088C0000-0x00000000089FE000-memory.dmp

Filesize
1.2MB

Download
memory/1392-54-0x0000000000000000-mapping.dmp

Download
memory/1440-82-0x000000000041E2A0-mapping.dmp

Download
memory/1460-53-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/1460-52-0x0000000000000000-mapping.dmp

Download
memory/1464-77-0x0000000000000000-mapping.dmp

Download
memory/1468-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1468-1-0x000000000041E2A0-mapping.dmp

Download
memory/1476-37-0x000000000041E2A0-mapping.dmp

Download
memory/1492-38-0x0000000000000000-mapping.dmp

Download
memory/1512-12-0x0000000000C50000-0x0000000000C72000-memory.dmp

Filesize
136KB

Download
memory/1512-11-0x0000000000000000-mapping.dmp

Download
memory/1524-45-0x000000000041E2A0-mapping.dmp

Download
memory/1540-2-0x0000000000000000-mapping.dmp

Download
memory/1552-63-0x0000000000000000-mapping.dmp

Download
memory/1556-66-0x0000000000CE0000-0x0000000000CFB000-memory.dmp

Filesize
108KB

Download
memory/1556-65-0x0000000000000000-mapping.dmp

Download
memory/1576-74-0x0000000000000000-mapping.dmp

Download
memory/1580-25-0x0000000000000000-mapping.dmp

Download
memory/1584-101-0x0000000000000000-mapping.dmp

Download
memory/1592-4-0x0000000000000000-mapping.dmp

Download
memory/1620-24-0x0000000001090000-0x00000000010AB000-memory.dmp

Filesize
108KB

Download
memory/1620-23-0x0000000000000000-mapping.dmp

Download
memory/1624-73-0x0000000000980000-0x0000000000985000-memory.dmp

Filesize
20KB

Download
memory/1624-72-0x0000000000000000-mapping.dmp

Download
memory/1628-8-0x000000000041E2A0-mapping.dmp

Download
memory/1656-46-0x0000000000000000-mapping.dmp

Download
memory/1684-13-0x0000000000000000-mapping.dmp

Download
memory/1688-85-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x000000000041E2A0-mapping.dmp

Download
memory/1760-94-0x000000000041E2A0-mapping.dmp

Download
memory/1776-22-0x0000000000000000-mapping.dmp

Download
memory/1780-91-0x00000000009C0000-0x00000000009E6000-memory.dmp

Filesize
152KB

Download
memory/1780-90-0x0000000000000000-mapping.dmp

Download
memory/1788-92-0x0000000000000000-mapping.dmp

Download
memory/1792-56-0x000000000041E2A0-mapping.dmp

Download
memory/1796-15-0x000000000041E2A0-mapping.dmp

Download
memory/1804-16-0x0000000000000000-mapping.dmp

Download
memory/1804-57-0x0000000000000000-mapping.dmp

Download
memory/1832-18-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

Filesize
96KB

Download
memory/1832-17-0x0000000000000000-mapping.dmp

Download
memory/1840-60-0x0000000000000000-mapping.dmp

Download
memory/1840-19-0x0000000000000000-mapping.dmp

Download
memory/1844-89-0x0000000000000000-mapping.dmp

Download
memory/1864-86-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/1864-84-0x0000000000000000-mapping.dmp

Download
memory/1868-76-0x000000000041E2A0-mapping.dmp

Download
memory/1880-59-0x0000000000FC0000-0x00000000010B4000-memory.dmp

Filesize
976KB

Download
memory/1880-58-0x0000000000000000-mapping.dmp

Download
memory/1908-96-0x0000000000000000-mapping.dmp

Download
memory/1908-97-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/1976-95-0x0000000000000000-mapping.dmp

Download
memory/2028-100-0x000000000041E2A0-mapping.dmp

Download
memory/2044-98-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads