3eeab0e2bbd7e74117cf4d36fa98a7d0125fc46161a1193f0b72fca297f5c8ac

Analysis

max time kernel
408s
max time network
407s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
22-08-2022 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Size

5.1MB
MD5

5347d1465f1abfbe142bee26234c2d42
SHA1

43aa39e7c91122fac3ceff37278f878eb60df870
SHA256

3eeab0e2bbd7e74117cf4d36fa98a7d0125fc46161a1193f0b72fca297f5c8ac
SHA512

afe6c2b058056813ef2f6642c5e4593c37bfc12b38f7f8990e3a923e56922a7c2647eb2e214d7da22de60648475bf59b2b3a9f4818f2861dbc37f9f8e10815bd

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\taskschd.msc mmc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exeC4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exeC4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exeC4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exeC4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe = "11000"	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe = "11000"	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe = "11000"	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe = "11000"	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe = "11000"	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

4700 regedit.exe

pid	process
4700	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
1560	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
1560	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
1560	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
1560	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

mmc.exemsdt.exe

pid process

164 mmc.exe
3468 msdt.exe

pid	process
164	mmc.exe
3468	msdt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mmc.exe

description	pid	process
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe
Token: 33	164	mmc.exe
Token: SeIncBasePriorityPrivilege	164	mmc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

mmc.exemsdt.exe

pid process

164 mmc.exe
3468 msdt.exe

pid	process
164	mmc.exe
3468	msdt.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exeC4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exeC4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exemmc.exeC4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exeC4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe

pid	process
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
2608	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3176	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
4980	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
164	mmc.exe
164	mmc.exe
1560	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
1560	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
1560	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3036	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
3036	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

pcwrun.exesdiagnhost.execsc.execsc.execsc.exemsdt.exerundll32.exe

description	pid	process	target process
PID 4984 wrote to memory of 3468	4984	pcwrun.exe	msdt.exe
PID 4984 wrote to memory of 3468	4984	pcwrun.exe	msdt.exe
PID 4300 wrote to memory of 4000	4300	sdiagnhost.exe	csc.exe
PID 4300 wrote to memory of 4000	4300	sdiagnhost.exe	csc.exe
PID 4000 wrote to memory of 2088	4000	csc.exe	cvtres.exe
PID 4000 wrote to memory of 2088	4000	csc.exe	cvtres.exe
PID 4300 wrote to memory of 3460	4300	sdiagnhost.exe	csc.exe
PID 4300 wrote to memory of 3460	4300	sdiagnhost.exe	csc.exe
PID 3460 wrote to memory of 4732	3460	csc.exe	cvtres.exe
PID 3460 wrote to memory of 4732	3460	csc.exe	cvtres.exe
PID 4300 wrote to memory of 4380	4300	sdiagnhost.exe	csc.exe
PID 4300 wrote to memory of 4380	4300	sdiagnhost.exe	csc.exe
PID 4380 wrote to memory of 4648	4380	csc.exe	cvtres.exe
PID 4380 wrote to memory of 4648	4380	csc.exe	cvtres.exe
PID 3468 wrote to memory of 1812	3468	msdt.exe	rundll32.exe
PID 3468 wrote to memory of 1812	3468	msdt.exe	rundll32.exe
PID 1812 wrote to memory of 3036	1812	rundll32.exe	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
PID 1812 wrote to memory of 3036	1812	rundll32.exe	C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe

C:\Users\Admin\AppData\Local\Temp\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
"C:\Users\Admin\AppData\Local\Temp\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
"C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
"C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
PID:4700

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:164

C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
"C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe" ContextMenu
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW7730.xml /skip TRUE
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe
      "C:\Users\Admin\Desktop\C4D2EEAD-13F2-C286-7F04-1B2BA8BD5F44_1d8b6bd106e7ed0.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3036

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shrlckgh\shrlckgh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FDB.tmp" "c:\Users\Admin\AppData\Local\Temp\shrlckgh\CSC6AD41DB48A394EE08BB6F3E1BFE51DEF.TMP"
    3⤵
    PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3x2n2sku\3x2n2sku.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80D5.tmp" "c:\Users\Admin\AppData\Local\Temp\3x2n2sku\CSCEA6786A6C9634B71B41DD17B7D0CD6F.TMP"
    3⤵
    PID:4732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0swlnu5n\0swlnu5n.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8549.tmp" "c:\Users\Admin\AppData\Local\Temp\0swlnu5n\CSC2C169F4AC8824909A22F59FEEF4B7A4.TMP"
    3⤵
    PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0swlnu5n\0swlnu5n.dll

Filesize
6KB

MD5
aa7123138752b2cc6f05e31f8379b232

SHA1
040edab1db958a0c3993f320c5dc46a051e563ca

SHA256
c60186a5ef809166ba0100ed21e9613365f0c96c0bfb7b146ff535c7b6ab8873

SHA512
34ed8258ab7100f738fcf1386ff2e634ced30d1b740e90ad740b67aee311d2c325fb01eceabb2c0fa576e0c62c63ec9e24ee269b570d733e0635864005565bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3x2n2sku\3x2n2sku.dll

Filesize
3KB

MD5
24fb58b008074427a6c743394838f44f

SHA1
68cc71297cf7e937e4595f93571cd0ad2b5a0038

SHA256
414b2a3fd6178a5e1c428571095399833c988b19c3703f93e7f32e68d5705bec

SHA512
57ad21edfcbc1da2de7aa431233aa97e77742b2f490dadb6b7fafa0992a0f42c90a96ef2201fa86b70c84e44273773f5eb824081220a65f113f802842f22d74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCW7730.xml

Filesize
798B

MD5
b1fcd5b7ae547f31b1936f49f6941b3f

SHA1
c2006ae7ee499b332be33f97031fb219a6f20499

SHA256
2ab35cfa83778982e03cd02e73dbb76009bf1c89195d8bd02fcd71ad26d9e82f

SHA512
279399e155cad5a8b030a73faa5a3bfe33e486915f4cbf39601821c7b090814773638eeb9196cf67405daf3f65787dfb5a7629c815725bfe3bd1ea5d96650789

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FDB.tmp

Filesize
1KB

MD5
ec83373b6d5ec90bb35423e99282e6af

SHA1
cd49a065e242ad077b2b5e39d0911e3db4130769

SHA256
07bba8a1c2091d21f82066ab1d565f26ae87a239fde3c6eaff5144883f90e453

SHA512
578f0a16420b624da01b1cb2de4b5309837cb20e8e8561fffa5f6fac6323fde2e3de6ee825618e47a60cabf51c3d2c9915b2ffe5ceebb5a8faf994fbd80aee8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES80D5.tmp

Filesize
1KB

MD5
8f6f4ae30bd770a2d040fca9d4c63f9e

SHA1
f6bd4aef80670f5e9cf025d936643a06c23625a7

SHA256
40065b3828b42ca9b71b6cf7e31c311c3f27056264beb026f955186e0bae94fb

SHA512
a0d9951f7a5fc976a99951cd378c7ac7932fc45c6c3fe89d4cedd4370811d4be20f2a521e4ba07b3ef4fc1bd38ec763df6ecebda47dae200eb59c76bbfbf7eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8549.tmp

Filesize
1KB

MD5
bc349457e78ddafc1fe725611691f5cc

SHA1
24c53edf033a584cbf08fe5229820fdf3c3c9ca4

SHA256
21c62b2552083e75fa02e4f4fe10c0d9c63c7bae92c0631c84f28cb4859ceb77

SHA512
98c0a11f68ffe98e2b18f51958259e90af418f88568e48362a11f9d7eb8d10ce5c8270883d9a15b19e2618b6db4a73266f03ea81036223ffe17329ee5e602864

Download Submit
C:\Users\Admin\AppData\Local\Temp\shrlckgh\shrlckgh.dll

Filesize
5KB

MD5
c655efada2edac2a93ed805cd827ac29

SHA1
783151a0111271aa2930730971cb5e2c247d561a

SHA256
34b386a6221676dd0f2e038db856a428440213e60f7bdacdc015e4c6d48b8f54

SHA512
dfa6d8a684d2de077ca8c7051c380f06cbaf4853401b472619f26880cff512d85dd4be13ba2a92e70ff835e33d1df91085373dac92d7b0a337d0438a212e70d2

Download Submit
C:\Windows\TEMP\SDIAG_008ae5f1-5779-45a0-a514-109e17018f98\RS_ProgramCompatibilityWizard.ps1

Filesize
41KB

MD5
a49550a947238f4e23a81f8c765da712

SHA1
0c3daf73301d87c958d7f4f840bf060d87312d8d

SHA256
baf71bcc730ab740670653283eb97a6991af6d52bc82ad83dcc66e9ce9a9dd68

SHA512
3f0cb6e664bd7a998f81b783abaf37dc68ea55360ab021611c2336999b4b61bf6797ba9c427ad93b60c6382cb016c2f8474bc3fce0af85c823583be1d3013f02

Download Submit
C:\Windows\TEMP\SDIAG_008ae5f1-5779-45a0-a514-109e17018f98\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
2c245de268793272c235165679bf2a22

SHA1
5f31f80468f992b84e491c9ac752f7ac286e3175

SHA256
4a6e9f400c72abc5b00d8b67ea36c06e3bc43ba9468fe748aebd704947ba66a0

SHA512
aaecb935c9b4c27021977f211441ff76c71ba9740035ec439e9477ae707109ca5247ea776e2e65159dcc500b0b4324f3733e1dfb05cef10a39bb11776f74f03c

Download Submit
C:\Windows\TEMP\SDIAG_008ae5f1-5779-45a0-a514-109e17018f98\VF_ProgramCompatibilityWizard.ps1

Filesize
453B

MD5
60a20ce28d05e3f9703899df58f17c07

SHA1
98630abc4b46c3f9bd6af6f1d0736f2b82551ca9

SHA256
b71bc60c5707337f4d4b42ba2b3d7bcd2ba46399d361e948b9c2e8bc15636da2

SHA512
2b2331b2dd28fb0bbf95dc8c6ca7e40aa56d4416c269e8f1765f14585a6b5722c689bceba9699dfd7d97903ef56a7a535e88eae01dfcc493ceabb69856fff9aa

Download Submit
C:\Windows\TEMP\SDIAG_008ae5f1-5779-45a0-a514-109e17018f98\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
5202c2aaa0bbfbcbdc51e271e059b066

SHA1
3f6a9ffb0455edc6a7e4170b54def16fd6e09a28

SHA256
7fd5c0595d76d6dec1fcbace5bbcd8ff531d5acf97e53234c0008ff5a89d20e2

SHA512
77500b97fcd6fe985962f8430f97627fedcf5af72d73d5e2b03e130bca1b6b552971b569be5fca5c9ece75ab92c2e4be416d67a0f24d3830d9579e5f96103ac9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0swlnu5n\0swlnu5n.0.cs

Filesize
7KB

MD5
a6a5eb65b434fd6612543820a3e623f0

SHA1
a2034ad0126c821a52d46d7c8289f136bde963c7

SHA256
5e06c62640983f93e9ec11fecd221c238f537cf110f03a61049a25eb6030c02c

SHA512
0bcd9e7662731750f90510fa9f3f83afaa688636f0e312343ed05b420e4d3311d25b08370a705e2e43b0b4619541e0af9f213b27845b4e95155180ecf989d483

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0swlnu5n\0swlnu5n.cmdline

Filesize
356B

MD5
97e1a51132920d68e0fd7e9b4094b942

SHA1
238e1f44730a13c763efae1c50a97ec4baa9f240

SHA256
b87fa35e52801b4baa09fb4894a309c30e2ebb7c7b0dc3341aaca6eaf036f477

SHA512
60a1f8a9d5c53eb6c1fc4ad0cac230d9c8c34cd65faf36ed7839a9cd50706dbd630094b641a3e5e7052757c9fa0cf1b103a4584f98f56e9dfdaa80435f974745

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0swlnu5n\CSC2C169F4AC8824909A22F59FEEF4B7A4.TMP

Filesize
652B

MD5
e6d1948f16f72b812b0d9d5200f8a266

SHA1
6bd77df34741fc47e6efcdea0f41c385dbc9afc5

SHA256
1ffd5a3097ef174a25901b4748321ffc39c1f58cf31f4bf0a9c30df74aca6487

SHA512
6a776c215a3f97caa0a4af7dfbcf257c5ad01ed14f0176d971f050db67e91211853b7c046df5217b8447c922718c12ac873ddaa63bc52c810fe0cf29c7f27e4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3x2n2sku\3x2n2sku.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3x2n2sku\3x2n2sku.cmdline

Filesize
356B

MD5
67d4c329326a6f94a9972204301accd4

SHA1
2a14725090f22ce53990f9d53d0adedf049e3385

SHA256
779142a8d5e2a0a53266fd3b65ef830ef2ba9661f4a08ebf5de19680dfc5995c

SHA512
dae33dbe0b71f1e3edd82e3e891b52290d54a021a425759ccf945cf5aaf2971597acb34358cc852311a1eb122590807f706e93f9a1e24903390acc7fcf194a1a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3x2n2sku\CSCEA6786A6C9634B71B41DD17B7D0CD6F.TMP

Filesize
652B

MD5
3044d35b007e653b1f156d971cb0f5ab

SHA1
ca95626c90f2303d660b475e7f5c2a6d53a3cd21

SHA256
7490c556c38800e9bc9574742557bbf0d9ff230e38dd0ec1c1c48126b5cce425

SHA512
e57930e2fe4bc61fa31d6f2c43a9c36ae8c0ba3dbcd192a0726ac5e4c0321dec309042737c5fbde4d7fea40f508cd0afbf4466670729a4003989095dbf316150

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shrlckgh\CSC6AD41DB48A394EE08BB6F3E1BFE51DEF.TMP

Filesize
652B

MD5
a3404cbde9b85db401a05e7ce82f1360

SHA1
53a6db38880b0e95401ffc2e421ea78157ead084

SHA256
7db867fb2ce23fcc2fccf997e41249f9f6e426278738ebeb1ce21bf566e7d0c3

SHA512
58220bbb6399beecc171ec6833131aff3e54eb94128bd0ed4cbd1409487e72720a70ba1b10c032f974ef2ef7316de090d3d9133833460a4df9b3811177fcb0e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shrlckgh\shrlckgh.0.cs

Filesize
5KB

MD5
26294ce6366662ebde6319c51362d56c

SHA1
c571c0ffa13e644eed87523cbd445f4afb1983d1

SHA256
685699daafafa281093b5c368c4d92715949fc300b182d234e800e613be5d8dc

SHA512
bc91bb591368bc511ca5169b3c23cd69a163eeb77f0d7a083fe09cc6aa15d7044a24f95811fa1518f44368dffda6d346f44e1568e7a5373a6450a63ae31883ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shrlckgh\shrlckgh.cmdline

Filesize
356B

MD5
8c73dbd04b4256990897c9c48ffb15ec

SHA1
ba97e420421fc5a34d83e6a0245a10863866b2fd

SHA256
3359ede8ef00207c738c447291782a86fb2412af29ba89887dc1bbbff24cf987

SHA512
bc4b53d690ad636d352f52e30c052eeb5d487361f4859ab48b80743c19d1822a3113f127eee633c9fc06971e945c727cf05f0e3e85ad069cc314a221384034c5

Download Submit
memory/164-459-0x000000001D32A000-0x000000001D32F000-memory.dmp

Filesize
20KB

Download
memory/164-278-0x000000001D32A000-0x000000001D32F000-memory.dmp

Filesize
20KB

Download
memory/164-280-0x000000001D32A000-0x000000001D32F000-memory.dmp

Filesize
20KB

Download
memory/1812-352-0x0000000000000000-mapping.dmp

Download
memory/2088-305-0x0000000000000000-mapping.dmp

Download
memory/3036-353-0x0000000000000000-mapping.dmp

Download
memory/3460-310-0x0000000000000000-mapping.dmp

Download
memory/3468-281-0x0000000000000000-mapping.dmp

Download
memory/4000-302-0x0000000000000000-mapping.dmp

Download
memory/4300-289-0x000001C300130000-0x000001C300152000-memory.dmp

Filesize
136KB

Download
memory/4300-309-0x000001C300120000-0x000001C300128000-memory.dmp

Filesize
32KB

Download
memory/4300-342-0x000001C300740000-0x000001C300748000-memory.dmp

Filesize
32KB

Download
memory/4300-292-0x000001C3002F0000-0x000001C300366000-memory.dmp

Filesize
472KB

Download
memory/4300-317-0x000001C300290000-0x000001C300298000-memory.dmp

Filesize
32KB

Download
memory/4380-335-0x0000000000000000-mapping.dmp

Download
memory/4648-338-0x0000000000000000-mapping.dmp

Download
memory/4732-313-0x0000000000000000-mapping.dmp

Download