acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d

Analysis

max time kernel
157s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Size

909KB
MD5

088ebcfa72b7c06dd0cfdc1250b39000
SHA1

99e3cacb51cc608124c30793e5655b2776b3d6af
SHA256

acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d
SHA512

b7ff8dedeec3f95ab24434f7cca0d06d17c60e1928bc7f8012bdd02ac2cc8b9730586da1b1ad687417481af0a344c8b9c67f7ecb7d196ef4160def820640ca7c
SSDEEP

24576:HePTJVWEhwByzSzlykFYtUJUpe08NVvmXILzPOsEd+3wW:4JN1zyl7FYtXS1WInj2+3wW

Score

9^/10

aspackv2 persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000500000001da06-144.dat	acprotect
behavioral2/files/0x000400000001da29-145.dat	acprotect

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022f5c-132.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f5c-133.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f5e-134.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f5e-135.dat	aspack_v212_v242

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eo935vOL8xy\ImagePath = "\\??\\C:\\Windows\\yFWyKo22YpsAt\\CDClient64.sys"	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\opWKxyIG7WI\ImagePath = "\\??\\C:\\Windows\\opWKxyIG7WI02\\CDClient64.sys"	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Loads dropped DLL 6 IoCs

pid	Process
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xDwxrwr.dll	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
File created	C:\Windows\SysWOW64\mDsHpIJ.dll	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
File created	C:\Windows\SysWOW64\046F7.dat	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
File created	C:\Windows\SysWOW64\184327.bat	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
File created	C:\Windows\SysWOW64\184333.bat	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\yFWyKo22YpsAt\CDClient64.sys	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
File created	C:\Windows\opWKxyIG7WI02\CDClient64.sys	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Token: 33	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Token: SeIncBasePriorityPrivilege	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Token: SeLoadDriverPrivilege	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Token: SeLoadDriverPrivilege	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Token: 33	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
Token: SeIncBasePriorityPrivilege	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4248	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	80
PID 4804 wrote to memory of 4248	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	80
PID 4804 wrote to memory of 4248	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	80
PID 4248 wrote to memory of 1468	4248	cmd.exe	82
PID 4248 wrote to memory of 1468	4248	cmd.exe	82
PID 4248 wrote to memory of 1468	4248	cmd.exe	82
PID 4248 wrote to memory of 2544	4248	cmd.exe	83
PID 4248 wrote to memory of 2544	4248	cmd.exe	83
PID 4248 wrote to memory of 2544	4248	cmd.exe	83
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42
PID 4804 wrote to memory of 2640	4804	acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe
  "C:\Users\Admin\AppData\Local\Temp\acf3f37dcfaaf0005979f55c20e079adf3657190e0855a649b6b4ceb46457e9d.exe"
  2⤵
  - Sets service image path in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C C:\Windows\SysWOW64\184327.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C C:\Windows\SysWOW64\184333.bat
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qxnqFvo\xAuvECq.dll

Filesize
775KB

MD5
3a54589b0aa9b1f91b7a2a9ae8b0da2e

SHA1
e37c7f08a2e4cd47ec577dfe03cf51d75f4c1acc

SHA256
9b5b85e126055208792611a3ccadc06aadc4a3c6319f83adf8d73a4c4e3619f2

SHA512
efb2d038a991896775436d67bd14420fda6f7883f356b7379f3be9eb5cfad06baa62bda0faa75de407874187e0464550fcc63ea687a65e82c6bc78a438309212

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxnqFvo\xAuvECq.dll

Filesize
775KB

MD5
3a54589b0aa9b1f91b7a2a9ae8b0da2e

SHA1
e37c7f08a2e4cd47ec577dfe03cf51d75f4c1acc

SHA256
9b5b85e126055208792611a3ccadc06aadc4a3c6319f83adf8d73a4c4e3619f2

SHA512
efb2d038a991896775436d67bd14420fda6f7883f356b7379f3be9eb5cfad06baa62bda0faa75de407874187e0464550fcc63ea687a65e82c6bc78a438309212

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxnqFvo\yFnEuwt.dll

Filesize
724KB

MD5
dbe4d0a030cddd359418b04c7c2ca260

SHA1
58c0c40dae5331a398e25a29a3ea03c7cbca9be6

SHA256
31a2c89953035a671fa9a7aa260c11d083568066734041ab81964aef68fc2ab8

SHA512
2bf37461a7509b6045fae0d2e7e4bec1d1c06af4965a987443ef7878cb2a1a74658de4c9d8483091018735a960ec6c29b99885a22978e07f2de9885c0964f86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxnqFvo\yFnEuwt.dll

Filesize
724KB

MD5
dbe4d0a030cddd359418b04c7c2ca260

SHA1
58c0c40dae5331a398e25a29a3ea03c7cbca9be6

SHA256
31a2c89953035a671fa9a7aa260c11d083568066734041ab81964aef68fc2ab8

SHA512
2bf37461a7509b6045fae0d2e7e4bec1d1c06af4965a987443ef7878cb2a1a74658de4c9d8483091018735a960ec6c29b99885a22978e07f2de9885c0964f86d

Download Submit
C:\Windows\SysWOW64\184327.bat

Filesize
5KB

MD5
ebeff7b70bc4dcc47b4424ee6472e123

SHA1
de26d8e8042b27b4e43c721a52eb61f30b7abf35

SHA256
fd2242eef0d6adc82b68e9b57e52ebccdc5fe636ab7f9d345ddfcca72f1cf82d

SHA512
49fac33297d33d0c3f7f67546a50a2c0b7bfd2f36ed6658097aba9eeac4231ceb0de3c5e41c54ec703bbe47a081925d8df41e74aae6626a2bf253fe8fa4e5230

Download Submit
C:\Windows\SysWOW64\184333.bat

Filesize
5KB

MD5
ebeff7b70bc4dcc47b4424ee6472e123

SHA1
de26d8e8042b27b4e43c721a52eb61f30b7abf35

SHA256
fd2242eef0d6adc82b68e9b57e52ebccdc5fe636ab7f9d345ddfcca72f1cf82d

SHA512
49fac33297d33d0c3f7f67546a50a2c0b7bfd2f36ed6658097aba9eeac4231ceb0de3c5e41c54ec703bbe47a081925d8df41e74aae6626a2bf253fe8fa4e5230

Download Submit
C:\Windows\SysWOW64\mDsHpIJ.dll

Filesize
69KB

MD5
50816f48c1f03434c6d1daf3f0afe3ec

SHA1
b3b42a7ce4e9df46d1268a532bf490f283c2b9bc

SHA256
5a7e6cdd26757773d3684e5f4b0cc19538af0535b283f0a2693b1f65ce991f65

SHA512
4cf28ffb211416ea0d9826edb9821b3963a7a43e3156e302ae74b68e6fe152de27177754fa4fbee283648084334f02781e7ec11ef246f9e2d3e38de7045bc653

Download Submit
C:\Windows\SysWOW64\xDwxrwr.dll

Filesize
71KB

MD5
396b17a6166836ef8f46a89c2e185629

SHA1
70e7a2d727d4076c47395b71ad095342ff825d55

SHA256
d61782b798062694185133ac622a6b761ac9d989b7320b909b8655474dcb17be

SHA512
b6d7beabdbecb5132636b30ac4b884a6a5219e20a310c8f0fc8033ebff791de60b84aca6f1372ceb8b96df7202dee5110852fd7b163c8f6f200504c2a0baeca5

Download Submit
memory/4804-146-0x0000000071290000-0x00000000712B9000-memory.dmp

Filesize
164KB

Download
memory/4804-147-0x0000000071260000-0x0000000071287000-memory.dmp

Filesize
156KB

Download