28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe

General

Target

28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe
Size

523KB
MD5

5473ca365a16752d4f366ed7fb157b26
SHA1

ff1f1da4a447f7ce24df960376f26dbf296f6a2e
SHA256

28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe
SHA512

ef25f88aeb3e424632b5136023cb4beb62c1b26957dcaf95a092d6082e91a87b25e72bdce7dacbe90bff1cabcf1fd662158ce2df716862e3e67f9f70db218f6b

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

pmwin.exe

pid process

3744 pmwin.exe

pid	process
3744	pmwin.exe

NTFS ADS 1 IoCs

Processes:

28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe

description	ioc	process
File created	\??\c:\programdata\3f506c878b\pmwin.exe:Zone.Identifier	28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2536 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2536 AUDIODG.EXE

description	pid	process
Token: 33	2536	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2536	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exepmwin.exe

description	pid	process	target process
PID 3196 wrote to memory of 3744	3196	28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe	pmwin.exe
PID 3196 wrote to memory of 3744	3196	28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe	pmwin.exe
PID 3196 wrote to memory of 3744	3196	28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe.exe	pmwin.exe
PID 3744 wrote to memory of 4076	3744	pmwin.exe	REG.exe
PID 3744 wrote to memory of 4076	3744	pmwin.exe	REG.exe
PID 3744 wrote to memory of 4076	3744	pmwin.exe	REG.exe

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\3f506c878b
3⤵
PID:4076

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc 0x418
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\ProgramData\0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\3f506c878b\pmwin.exe
Filesize
523KB

MD5
5473ca365a16752d4f366ed7fb157b26

SHA1
ff1f1da4a447f7ce24df960376f26dbf296f6a2e

SHA256
28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe

SHA512
ef25f88aeb3e424632b5136023cb4beb62c1b26957dcaf95a092d6082e91a87b25e72bdce7dacbe90bff1cabcf1fd662158ce2df716862e3e67f9f70db218f6b

Download Submit
\??\c:\programdata\3f506c878b\pmwin.exe
Filesize
523KB

MD5
5473ca365a16752d4f366ed7fb157b26

SHA1
ff1f1da4a447f7ce24df960376f26dbf296f6a2e

SHA256
28f7a4f024d6872538bff9f2de2aa2aa726e55b23ac51e8f142d830027639dfe

SHA512
ef25f88aeb3e424632b5136023cb4beb62c1b26957dcaf95a092d6082e91a87b25e72bdce7dacbe90bff1cabcf1fd662158ce2df716862e3e67f9f70db218f6b

Download Submit
memory/3196-133-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/3744-130-0x0000000000000000-mapping.dmp

Download
memory/3744-134-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/4076-136-0x0000000000000000-mapping.dmp

Download