4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d

Analysis

max time kernel
150s
max time network
143s
platform
windows10_x64
resource
win10
submitted
11-07-2020 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN-QMJ201706001-1.exe
Size

786KB
MD5

b2e7062ed44ea9c304b37aef08db9146
SHA1

ef390643049a6add921de66f3be36224a93f41a0
SHA256

4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
SHA512

b879b89ebc2ed55abdb64afcf81ec5fbb1205f0dc9a5a859c161c2687b168703754111141a682badc84f17962f92dafc50e949aed8eabd80b0e3d59beab367a3

Score

8^/10

persistence spyware

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1742 IoCs

Processes:

SCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exe

pid	process
3888	SCAN-QMJ201706001-1.exe
3888	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
3948	SCAN-QMJ201706001-1.exe
3948	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
3948	SCAN-QMJ201706001-1.exe
3948	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe
4028	SCAN-QMJ201706001-1.exe

Suspicious use of WriteProcessMemory 195 IoCs

Processes:

SCAN-QMJ201706001-1.exeExplorer.EXESCAN-QMJ201706001-1.execmd.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exe

description	pid	process	target process
PID 3888 wrote to memory of 3948	3888	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3888 wrote to memory of 3948	3888	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3888 wrote to memory of 3948	3888	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3888 wrote to memory of 4028	3888	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3888 wrote to memory of 4028	3888	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3888 wrote to memory of 4028	3888	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2976 wrote to memory of 3860	2976	Explorer.EXE	cmd.exe
PID 2976 wrote to memory of 3860	2976	Explorer.EXE	cmd.exe
PID 2976 wrote to memory of 3860	2976	Explorer.EXE	cmd.exe
PID 4028 wrote to memory of 3828	4028	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 4028 wrote to memory of 3828	4028	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 4028 wrote to memory of 3828	4028	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3860 wrote to memory of 3324	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 3324	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 3324	3860	cmd.exe	cmd.exe
PID 3828 wrote to memory of 1736	3828	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3828 wrote to memory of 1736	3828	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3828 wrote to memory of 1736	3828	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3828 wrote to memory of 3364	3828	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3828 wrote to memory of 3364	3828	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3828 wrote to memory of 3364	3828	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2976 wrote to memory of 2488	2976	Explorer.EXE	raserver.exe
PID 2976 wrote to memory of 2488	2976	Explorer.EXE	raserver.exe
PID 2976 wrote to memory of 2488	2976	Explorer.EXE	raserver.exe
PID 3364 wrote to memory of 3760	3364	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3364 wrote to memory of 3760	3364	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3364 wrote to memory of 3760	3364	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3760 wrote to memory of 4048	3760	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3760 wrote to memory of 4048	3760	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3760 wrote to memory of 4048	3760	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3760 wrote to memory of 3996	3760	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3760 wrote to memory of 3996	3760	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3760 wrote to memory of 3996	3760	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2976 wrote to memory of 3060	2976	Explorer.EXE	cmstp.exe
PID 2976 wrote to memory of 3060	2976	Explorer.EXE	cmstp.exe
PID 2976 wrote to memory of 3060	2976	Explorer.EXE	cmstp.exe
PID 3996 wrote to memory of 1948	3996	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3996 wrote to memory of 1948	3996	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3996 wrote to memory of 1948	3996	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1948 wrote to memory of 2896	1948	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1948 wrote to memory of 2896	1948	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1948 wrote to memory of 2896	1948	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1948 wrote to memory of 964	1948	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1948 wrote to memory of 964	1948	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1948 wrote to memory of 964	1948	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2976 wrote to memory of 624	2976	Explorer.EXE	mstsc.exe
PID 2976 wrote to memory of 624	2976	Explorer.EXE	mstsc.exe
PID 2976 wrote to memory of 624	2976	Explorer.EXE	mstsc.exe
PID 3860 wrote to memory of 992	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 992	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 992	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 1200	3860	cmd.exe	Firefox.exe
PID 3860 wrote to memory of 1200	3860	cmd.exe	Firefox.exe
PID 964 wrote to memory of 1240	964	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 964 wrote to memory of 1240	964	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 964 wrote to memory of 1240	964	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3860 wrote to memory of 1200	3860	cmd.exe	Firefox.exe
PID 1240 wrote to memory of 1600	1240	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1240 wrote to memory of 1600	1240	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1240 wrote to memory of 1600	1240	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1240 wrote to memory of 1760	1240	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1240 wrote to memory of 1760	1240	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1240 wrote to memory of 1760	1240	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2976 wrote to memory of 1840	2976	Explorer.EXE	msiexec.exe

Suspicious behavior: MapViewOfSection 70 IoCs

Processes:

SCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.execmd.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exe

pid	process
3888	SCAN-QMJ201706001-1.exe
3948	SCAN-QMJ201706001-1.exe
3948	SCAN-QMJ201706001-1.exe
3948	SCAN-QMJ201706001-1.exe
3860	cmd.exe
3828	SCAN-QMJ201706001-1.exe
1736	SCAN-QMJ201706001-1.exe
3860	cmd.exe
1736	SCAN-QMJ201706001-1.exe
1736	SCAN-QMJ201706001-1.exe
3760	SCAN-QMJ201706001-1.exe
4048	SCAN-QMJ201706001-1.exe
4048	SCAN-QMJ201706001-1.exe
4048	SCAN-QMJ201706001-1.exe
4048	SCAN-QMJ201706001-1.exe
1948	SCAN-QMJ201706001-1.exe
2896	SCAN-QMJ201706001-1.exe
2896	SCAN-QMJ201706001-1.exe
3860	cmd.exe
2896	SCAN-QMJ201706001-1.exe
2896	SCAN-QMJ201706001-1.exe
3860	cmd.exe
1240	SCAN-QMJ201706001-1.exe
1600	SCAN-QMJ201706001-1.exe
1600	SCAN-QMJ201706001-1.exe
1600	SCAN-QMJ201706001-1.exe
1488	SCAN-QMJ201706001-1.exe
2148	SCAN-QMJ201706001-1.exe
2148	SCAN-QMJ201706001-1.exe
2148	SCAN-QMJ201706001-1.exe
3032	SCAN-QMJ201706001-1.exe
3996	SCAN-QMJ201706001-1.exe
3996	SCAN-QMJ201706001-1.exe
3996	SCAN-QMJ201706001-1.exe
3996	SCAN-QMJ201706001-1.exe
968	SCAN-QMJ201706001-1.exe
3732	SCAN-QMJ201706001-1.exe
3732	SCAN-QMJ201706001-1.exe
3732	SCAN-QMJ201706001-1.exe
3884	SCAN-QMJ201706001-1.exe
2080	SCAN-QMJ201706001-1.exe
2080	SCAN-QMJ201706001-1.exe
2080	SCAN-QMJ201706001-1.exe
1632	SCAN-QMJ201706001-1.exe
1472	SCAN-QMJ201706001-1.exe
1472	SCAN-QMJ201706001-1.exe
1472	SCAN-QMJ201706001-1.exe
2160	SCAN-QMJ201706001-1.exe
2152	SCAN-QMJ201706001-1.exe
2152	SCAN-QMJ201706001-1.exe
2152	SCAN-QMJ201706001-1.exe
1312	SCAN-QMJ201706001-1.exe
1272	SCAN-QMJ201706001-1.exe
1272	SCAN-QMJ201706001-1.exe
1272	SCAN-QMJ201706001-1.exe
1272	SCAN-QMJ201706001-1.exe
2224	SCAN-QMJ201706001-1.exe
2172	SCAN-QMJ201706001-1.exe
2172	SCAN-QMJ201706001-1.exe
2172	SCAN-QMJ201706001-1.exe
3616	SCAN-QMJ201706001-1.exe
3920	SCAN-QMJ201706001-1.exe
3920	SCAN-QMJ201706001-1.exe
3920	SCAN-QMJ201706001-1.exe

Suspicious use of AdjustPrivilegeToken 97 IoCs

Processes:

SCAN-QMJ201706001-1.exeExplorer.EXEcmd.exeSCAN-QMJ201706001-1.exeraserver.exeSCAN-QMJ201706001-1.execmstp.exeSCAN-QMJ201706001-1.exemstsc.exeSCAN-QMJ201706001-1.exemsiexec.exeSCAN-QMJ201706001-1.exewlanext.exeSCAN-QMJ201706001-1.exechkdsk.exeSCAN-QMJ201706001-1.exewscript.exeSCAN-QMJ201706001-1.exewlanext.exeSCAN-QMJ201706001-1.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3948	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	3860	cmd.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	1736	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	2488	raserver.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	4048	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	3060	cmstp.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	2896	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	624	mstsc.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	1600	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	1840	msiexec.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	2148	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	2764	wlanext.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	3996	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	1012	chkdsk.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	3732	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	880	wscript.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	2080	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	1400	wlanext.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	1472	SCAN-QMJ201706001-1.exe
Token: SeShutdownPrivilege	2976	Explorer.EXE
Token: SeCreatePagefilePrivilege	2976	Explorer.EXE
Token: SeDebugPrivilege	2144	msiexec.exe

js 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/624-31-0x0000000000110000-0x000000000040C000-memory.dmp	js
behavioral2/memory/624-33-0x0000000000110000-0x000000000040C000-memory.dmp	js

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\7NOPJLWPP0V = "C:\\Program Files (x86)\\Dtbo0q0\\drrlefftnhvnyp.exe"	cmd.exe

Suspicious use of SetThreadContext 37 IoCs

Processes:

SCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.execmd.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exeSCAN-QMJ201706001-1.exe

description	pid	process	target process
PID 3888 set thread context of 3948	3888	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3948 set thread context of 2976	3948	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 3828 set thread context of 1736	3828	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1736 set thread context of 2976	1736	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 3860 set thread context of 2976	3860	cmd.exe	Explorer.EXE
PID 3760 set thread context of 4048	3760	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 4048 set thread context of 2976	4048	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 4048 set thread context of 2976	4048	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1948 set thread context of 2896	1948	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2896 set thread context of 2976	2896	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 2896 set thread context of 2976	2896	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1240 set thread context of 1600	1240	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1600 set thread context of 2976	1600	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1488 set thread context of 2148	1488	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2148 set thread context of 2976	2148	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 3032 set thread context of 3996	3032	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3996 set thread context of 2976	3996	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 3996 set thread context of 2976	3996	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 968 set thread context of 3732	968	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3732 set thread context of 2976	3732	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 3884 set thread context of 2080	3884	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2080 set thread context of 2976	2080	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1632 set thread context of 1472	1632	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1472 set thread context of 2976	1472	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 2160 set thread context of 2152	2160	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2152 set thread context of 2976	2152	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1312 set thread context of 1272	1312	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 1272 set thread context of 2976	1272	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1272 set thread context of 2976	1272	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 2224 set thread context of 2172	2224	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2172 set thread context of 2976	2172	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 3616 set thread context of 3920	3616	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 3920 set thread context of 2976	3920	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 4040 set thread context of 968	4040	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 968 set thread context of 2976	968	SCAN-QMJ201706001-1.exe	Explorer.EXE
PID 1384 set thread context of 2128	1384	SCAN-QMJ201706001-1.exe	SCAN-QMJ201706001-1.exe
PID 2128 set thread context of 2976	2128	SCAN-QMJ201706001-1.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Program Files (x86)\Dtbo0q0\drrlefftnhvnyp.exe cmd.exe
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Dtbo0q0\drrlefftnhvnyp.exe	cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3888

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:3948

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 3948 66062
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3828

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1736

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1736 74078
5⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
6⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3760

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4048

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 4048 81953
7⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
8⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1948

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2896

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 2896 95875
9⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
10⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1240

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1600

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1600 110218
11⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1488

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2148

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 2148 118328
13⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3032

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:3996

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 3996 126156
15⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:968

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:3732

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 3732 140031
17⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3884

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
19⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2080

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 2080 147953
19⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
20⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1632

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
21⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1472

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1472 155921
21⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
22⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2160

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
23⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2152

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 2152 163703
23⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
24⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1312

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
25⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1272

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 1272 171562
25⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
26⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2224

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
27⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2172

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 2172 185531
27⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
28⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3616

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
29⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3920

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 3920 193468
29⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
30⤵
- Suspicious use of SetThreadContext
PID:4040

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
31⤵
- Suspicious use of SetThreadContext
PID:968

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 968 201234
31⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
32⤵
- Suspicious use of SetThreadContext
PID:1384

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
33⤵
- Suspicious use of SetThreadContext
PID:2128

C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe" 2 2128 209203
33⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to policy start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System policy modification
- Modifies Internet Explorer settings
PID:3860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SCAN-QMJ201706001-1.exe"
3⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:992

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1200

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1796

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:968

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3696

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3744

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3732

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3728

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:412

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:488

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2696

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2708

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Enumerates system info in registry
PID:1012

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:3368

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:3712

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:2364

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
PID:2724

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:1228

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3812

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:552

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1852

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1856

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1604

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2096

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2076

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2120

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Roaming\-823QC40\-82logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\-823QC40\-82logrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\-823QC40\-82logrg.ini

Download Submit
C:\Users\Admin\AppData\Roaming\-823QC40\-82logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\-823QC40\-82logrv.ini

Download Submit
memory/408-122-0x0000000000000000-mapping.dmp

Download
memory/412-68-0x0000000000000000-mapping.dmp

Download
memory/624-33-0x0000000000110000-0x000000000040C000-memory.dmp

Filesize
3.0MB

Download
memory/624-31-0x0000000000110000-0x000000000040C000-memory.dmp

Filesize
3.0MB

Download
memory/624-30-0x0000000000000000-mapping.dmp

Download
memory/880-71-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/880-70-0x0000000000000000-mapping.dmp

Download
memory/880-72-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/964-25-0x0000000000000000-mapping.dmp

Download
memory/968-65-0x0000000000000000-mapping.dmp

Download
memory/968-121-0x000000000041E2A0-mapping.dmp

Download
memory/992-28-0x0000000000000000-mapping.dmp

Download
memory/1012-62-0x0000000000000000-mapping.dmp

Download
memory/1012-64-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1012-63-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1200-37-0x00007FF7D67B0000-0x00007FF7D6843000-memory.dmp

Filesize
588KB

Download
memory/1200-40-0x00007FF7D67B0000-0x00007FF7D6843000-memory.dmp

Filesize
588KB

Download
memory/1200-35-0x0000000000000000-mapping.dmp

Download
memory/1200-36-0x00007FF7D67B0000-0x00007FF7D6843000-memory.dmp

Filesize
588KB

Download
memory/1228-124-0x0000000000000000-mapping.dmp

Download
memory/1228-125-0x0000000000DD0000-0x0000000000F43000-memory.dmp

Filesize
1.4MB

Download
memory/1228-127-0x0000000000DD0000-0x0000000000F43000-memory.dmp

Filesize
1.4MB

Download
memory/1240-32-0x0000000000000000-mapping.dmp

Download
memory/1272-97-0x000000000041E2A0-mapping.dmp

Download
memory/1312-94-0x0000000000000000-mapping.dmp

Download
memory/1384-126-0x0000000000000000-mapping.dmp

Download
memory/1400-80-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/1400-79-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/1400-78-0x0000000000000000-mapping.dmp

Download
memory/1448-76-0x0000000000000000-mapping.dmp

Download
memory/1472-83-0x000000000041E2A0-mapping.dmp

Download
memory/1488-44-0x0000000000000000-mapping.dmp

Download
memory/1600-39-0x000000000041E2A0-mapping.dmp

Download
memory/1632-81-0x0000000000000000-mapping.dmp

Download
memory/1736-9-0x000000000041E2A0-mapping.dmp

Download
memory/1760-41-0x0000000000000000-mapping.dmp

Download
memory/1776-130-0x0000000000000000-mapping.dmp

Download
memory/1784-84-0x0000000000000000-mapping.dmp

Download
memory/1840-45-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1840-43-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1840-42-0x0000000000000000-mapping.dmp

Download
memory/1948-21-0x0000000000000000-mapping.dmp

Download
memory/2080-75-0x000000000041E2A0-mapping.dmp

Download
memory/2128-129-0x000000000041E2A0-mapping.dmp

Download
memory/2144-85-0x0000000000000000-mapping.dmp

Download
memory/2144-86-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2144-88-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2148-47-0x000000000041E2A0-mapping.dmp

Download
memory/2152-90-0x000000000041E2A0-mapping.dmp

Download
memory/2160-87-0x0000000000000000-mapping.dmp

Download
memory/2164-48-0x0000000000000000-mapping.dmp

Download
memory/2172-106-0x000000000041E2A0-mapping.dmp

Download
memory/2224-103-0x0000000000000000-mapping.dmp

Download
memory/2364-109-0x0000000000000000-mapping.dmp

Download
memory/2364-110-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/2364-111-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/2456-107-0x0000000000000000-mapping.dmp

Download
memory/2488-13-0x0000000001050000-0x000000000106F000-memory.dmp

Filesize
124KB

Download
memory/2488-11-0x0000000000000000-mapping.dmp

Download
memory/2488-12-0x0000000001050000-0x000000000106F000-memory.dmp

Filesize
124KB

Download
memory/2724-119-0x0000000000C00000-0x0000000000C0B000-memory.dmp

Filesize
44KB

Download
memory/2724-117-0x0000000000C00000-0x0000000000C0B000-memory.dmp

Filesize
44KB

Download
memory/2724-116-0x0000000000000000-mapping.dmp

Download
memory/2724-56-0x0000000000000000-mapping.dmp

Download
memory/2764-50-0x0000000000000000-mapping.dmp

Download
memory/2764-51-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2764-52-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/2896-24-0x000000000041E2A0-mapping.dmp

Download
memory/2976-77-0x0000000008F50000-0x00000000090F0000-memory.dmp

Filesize
1.6MB

Download
memory/2976-99-0x00000000073C0000-0x00000000074B1000-memory.dmp

Filesize
964KB

Download
memory/2976-123-0x00000000091D0000-0x00000000092BD000-memory.dmp

Filesize
948KB

Download
memory/2976-69-0x0000000006B30000-0x0000000006CA1000-memory.dmp

Filesize
1.4MB

Download
memory/2976-131-0x00000000092C0000-0x00000000093E3000-memory.dmp

Filesize
1.1MB

Download
memory/3032-53-0x0000000000000000-mapping.dmp

Download
memory/3060-20-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/3060-22-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/3060-19-0x0000000000000000-mapping.dmp

Download
memory/3164-91-0x0000000000000000-mapping.dmp

Download
memory/3324-7-0x0000000000000000-mapping.dmp

Download
memory/3364-10-0x0000000000000000-mapping.dmp

Download
memory/3368-93-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/3368-92-0x0000000000000000-mapping.dmp

Download
memory/3368-95-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/3468-98-0x0000000000000000-mapping.dmp

Download
memory/3616-112-0x0000000000000000-mapping.dmp

Download
memory/3712-102-0x0000000000E60000-0x0000000000E79000-memory.dmp

Filesize
100KB

Download
memory/3712-104-0x0000000000E60000-0x0000000000E79000-memory.dmp

Filesize
100KB

Download
memory/3712-101-0x0000000000000000-mapping.dmp

Download
memory/3732-67-0x000000000041E2A0-mapping.dmp

Download
memory/3760-14-0x0000000000000000-mapping.dmp

Download
memory/3828-6-0x0000000000000000-mapping.dmp

Download
memory/3860-5-0x0000000001290000-0x00000000012E9000-memory.dmp

Filesize
356KB

Download
memory/3860-4-0x0000000001290000-0x00000000012E9000-memory.dmp

Filesize
356KB

Download
memory/3860-34-0x0000000006710000-0x00000000067F7000-memory.dmp

Filesize
924KB

Download
memory/3860-3-0x0000000000000000-mapping.dmp

Download
memory/3884-73-0x0000000000000000-mapping.dmp

Download
memory/3920-114-0x000000000041E2A0-mapping.dmp

Download
memory/3948-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3948-1-0x000000000041E2A0-mapping.dmp

Download
memory/3976-115-0x0000000000000000-mapping.dmp

Download
memory/3996-55-0x000000000041E2A0-mapping.dmp

Download
memory/3996-17-0x0000000000000000-mapping.dmp

Download
memory/4028-2-0x0000000000000000-mapping.dmp

Download
memory/4040-118-0x0000000000000000-mapping.dmp

Download
memory/4048-16-0x000000000041E2A0-mapping.dmp

Download