c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893

Analysis

max time kernel
18s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Size

200KB
MD5

083d6badb0fd9529f2bcd3f713ee4a80
SHA1

89c179167c89181d3914a8977e4aef4ff86cbe82
SHA256

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893
SHA512

8ed6a4d6bd43fd49c6f53343e2247686061cc26ab2a56a32b7b69c99433856cbd3ec143a41df92ba12d0a65409ead54c67658c3189fe8c033ab5b3d0ac0f3c02
SSDEEP

3072:bfkwPceV2ol9xU1TA5ZwZ9zKbc4OVHUmhHZIwZ+K:bswPDVjyM5ZwZMbc4OV0mhHz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "Microsoft Windows Media Player 12.0"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,7601,17514"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,7601,17514"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}\Version = "12,0,7601,17514"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\Version = "12,0,7601,17514"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}\Version = "12,0,7601,17514"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\Version = "12,0,7601,17514"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Loads dropped DLL 10 IoCs

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

pid	process
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Drops file in Program Files directory 3 IoCs

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPLAYER.EXE	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\SETUP_WM.EXE	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
File opened for modification	C:\PROGRAM FILES (X86)\WINDOWS MEDIA PLAYER\WMPLAYER.EXE	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Drops file in Windows directory 1 IoCs

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

description ioc process

File created C:\Windows\wmsetup.log c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\wmsetup.log	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Modifies registry class 64 IoCs

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.asx	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wmafile	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.m3u\SubType = "{a98c8400-4181-11d1-a520-00a0d10129c0}"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSU\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMS	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wma	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.nsc = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wmafile\shellex	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shellex\ContextMenuHandlers\WMPBurnAudioCD\ = "{8DD448E6-C188-4aed-AF92-44956194EB1F}"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Compressors\auds	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Extensions	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.wvx = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMST\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wm	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMST	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSU	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wvx	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.wmx = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Extensions\AVI	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmdb\ = "WMP.WMDBFile"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMS\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Compressors\vids	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.WMDBFile\DefaultIcon\ = "C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe,-120"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.dvr-ms\SubType = "{e06d8023-db46-11cf-b4d1-00805f6cbbea}"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wmx	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wmx\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shellex\ContextMenuHandlers\WMPBurnAudioCD	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\RIFFHandlers\AVI	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.WMDBFile\FriendlyTypeName = "@C:\\Windows\\inf\\unregmp2.exe,-9924"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wm\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\RIFFHandlers\WAVE	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wax	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wmv	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.asx = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.wax = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{33FACFE0-A9BE-11d0-A520-00A0D10129C0\0 = "0,4,ffdfdfdf,3C53414d"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\RIFFHandlers	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmdb	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.WMDBFile\NoOpen	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wmafile\shellex\ContextMenuHandlers\WMPBurnAudioCD	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Extensions\AU	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\Extensions\WAV	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.wm = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.m3u	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.m3u\Media Type = "{e436eb83-524f-11ce-9f53-0020af0ba770}"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.asx\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wvx\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.asf = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.m3u\Source Filter = "{e436ebb5-524f-11ce-9f53-0020af0ba770}"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSBD\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{e436eb83-524f-11ce-9f53-0020af0ba770}\{33FACFE0-A9BE-11d0-A520-00A0D10129C0	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.asf	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.WMDBFile	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.WMDBFile\ = "Windows 媒体库"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.WMDBFile\DefaultIcon	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.asf\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\. = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\AnimExtensions\.wmv = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\shellex	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.dvr-ms\Source Filter = "{C9F5FE02-F851-4eb5-99EE-AD602AF1E619}"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.wax\Animation = "dxmasf.dll,150"	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

pid process

1720 c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Suspicious behavior: MapViewOfSection 22 IoCs

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

pid	process
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

description	pid	process
Token: SeDebugPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeTakeOwnershipPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeRestorePrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeBackupPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeChangeNotifyPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeTakeOwnershipPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeRestorePrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeBackupPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeChangeNotifyPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeTakeOwnershipPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeRestorePrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeBackupPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeChangeNotifyPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeTakeOwnershipPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeRestorePrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeBackupPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeChangeNotifyPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeTakeOwnershipPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeRestorePrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeBackupPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeChangeNotifyPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeTakeOwnershipPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeRestorePrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeBackupPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
Token: SeChangeNotifyPrivilege	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe

description	pid	process	target process
PID 1720 wrote to memory of 360	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	wininit.exe
PID 1720 wrote to memory of 360	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	wininit.exe
PID 1720 wrote to memory of 360	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	wininit.exe
PID 1720 wrote to memory of 360	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	wininit.exe
PID 1720 wrote to memory of 360	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	wininit.exe
PID 1720 wrote to memory of 384	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	csrss.exe
PID 1720 wrote to memory of 384	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	csrss.exe
PID 1720 wrote to memory of 384	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	csrss.exe
PID 1720 wrote to memory of 384	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	csrss.exe
PID 1720 wrote to memory of 384	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	csrss.exe
PID 1720 wrote to memory of 420	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	winlogon.exe
PID 1720 wrote to memory of 420	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	winlogon.exe
PID 1720 wrote to memory of 420	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	winlogon.exe
PID 1720 wrote to memory of 420	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	winlogon.exe
PID 1720 wrote to memory of 420	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	winlogon.exe
PID 1720 wrote to memory of 464	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	services.exe
PID 1720 wrote to memory of 464	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	services.exe
PID 1720 wrote to memory of 464	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	services.exe
PID 1720 wrote to memory of 464	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	services.exe
PID 1720 wrote to memory of 464	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	services.exe
PID 1720 wrote to memory of 480	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsass.exe
PID 1720 wrote to memory of 480	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsass.exe
PID 1720 wrote to memory of 480	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsass.exe
PID 1720 wrote to memory of 480	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsass.exe
PID 1720 wrote to memory of 480	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsass.exe
PID 1720 wrote to memory of 488	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsm.exe
PID 1720 wrote to memory of 488	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsm.exe
PID 1720 wrote to memory of 488	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsm.exe
PID 1720 wrote to memory of 488	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsm.exe
PID 1720 wrote to memory of 488	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	lsm.exe
PID 1720 wrote to memory of 600	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 600	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 600	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 600	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 600	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 676	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 676	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 676	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 676	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 676	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 760	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 760	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 760	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 760	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 760	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 812	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 812	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 812	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 812	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 812	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 848	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 848	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 848	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 848	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 848	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 872	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 872	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 872	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 872	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 872	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 292	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 292	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 292	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe
PID 1720 wrote to memory of 292	1720	c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1092

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:756

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1140

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:360

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1996

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1936

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe
"C:\Users\Admin\AppData\Local\Temp\c88994693b590c8bcedcb9707a4b4e059fc042f596fda2a91c88bdaa0c494893.exe"
2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\PROGRA~2\WI54FB~1\setup_wm.exe
Filesize
1.9MB

MD5
815eca02f8e9959a61d353ef15c0c004

SHA1
0281002f3198855d9a8589f7bbbc568b9f491012

SHA256
f271e4d2d17fa43be0f10618cafa00b869afa2a6b57f7acb0f3ba6c03c8b05ce

SHA512
714ac06d5e4327bd2691420e754d84227554e2694b2f4989270f5353dc73d41fd6973bd5269de53b8c654c5e8665edbaf8ed32a88351f4292838d4d3dd98ebfd

Download Submit
\PROGRA~2\WI54FB~1\setup_wm.exe
Filesize
1.9MB

MD5
815eca02f8e9959a61d353ef15c0c004

SHA1
0281002f3198855d9a8589f7bbbc568b9f491012

SHA256
f271e4d2d17fa43be0f10618cafa00b869afa2a6b57f7acb0f3ba6c03c8b05ce

SHA512
714ac06d5e4327bd2691420e754d84227554e2694b2f4989270f5353dc73d41fd6973bd5269de53b8c654c5e8665edbaf8ed32a88351f4292838d4d3dd98ebfd

Download Submit
\PROGRA~2\WI54FB~1\wmplayer.exe
Filesize
172KB

MD5
27055763401a6d758def302de6e970e2

SHA1
8e656f9bc6f2af3b458a1603b3c817c5b6bc5b93

SHA256
4a4aa959cbbcfe25e60bd4f5a5f86ec5c4402b216650bcdff1923945a02ce1b4

SHA512
b000718f3ee95a968a98282277448c406bcfb7b2877b6aa97183abe8f1d8f44d61f003b43c5ae0dff5fd1e6ab9527480987765cd093ad20292dae0ede7b3b4e8

Download Submit
\PROGRA~2\WI54FB~1\wmplayer.exe
Filesize
204KB

MD5
c3a47a46e7f14c4d6c2c6761c5d566cb

SHA1
483f3ddd37bccd375b98fb458997c96c06aa810e

SHA256
6890b6c45343519572eb746950965455e28df5355e52fb7e7d5d0f2af75febbb

SHA512
4e041b4053604077c7f4eebd2d0690dd66ed3ed8973295adb54131c3fadca24ebc2631a6cb60cd207542afe6bc39f812f25102f198e78b74948c99faf2e52529

Download Submit
\PROGRA~2\WI54FB~1\wmplayer.exe
Filesize
236KB

MD5
9dd48e0e1af2139a0844a5af93e4dd35

SHA1
faae3cd9801d07c2b61dbd4cf7e0272996f54f40

SHA256
1bce0771cac93954614850d6554219419841bdb258dd9327f3f1de6c460fdbc5

SHA512
22858abd9859d137971c178cb2ef12cc6bfee7f6b08ce6257f15d127b2000f11125d991091f880b6ed1b14719c9d0b615bb6c62519de511bb2735a3cdd44f0c2

Download Submit
\PROGRA~2\WI54FB~1\wmplayer.exe
Filesize
268KB

MD5
acc9863f6cabac14727a9949409ab2b6

SHA1
115ae0133ef3f37059b110060a623b16075a6d26

SHA256
bf86ec882a938383a3c86b3ad188ee9fe3a6fa40d0cd7d8164ca1769110e4f46

SHA512
906473b0cef5f7276a90f312e10894b9882738e53de423982a6052fc9b7e4d4d3bc15d1bf69a95841283a5a7e803d2e158675ac00dc435379d68dbcdb35f60b1

Download Submit
\PROGRA~2\WI54FB~1\wmplayer.exe
Filesize
300KB

MD5
efc9432d9fcbd62bbdf83c528d31a065

SHA1
67ed1babaf693e64a529a84e9081ad1c79202a65

SHA256
049cc8826576e31637ad69e433bdb1442d0ab36c24703708721352c9f5e42e44

SHA512
0a2e776677274fd1369fe9d8891adfeeee44fcf2505a99e01228464cae9fcb87ba6b343b7963859b94b385fc8dba15cb6fed55c26e9458bac59d0b7c8b712e25

Download Submit
\PROGRA~2\WI54FB~1\wmplayer.exe
Filesize
300KB

MD5
efc9432d9fcbd62bbdf83c528d31a065

SHA1
67ed1babaf693e64a529a84e9081ad1c79202a65

SHA256
049cc8826576e31637ad69e433bdb1442d0ab36c24703708721352c9f5e42e44

SHA512
0a2e776677274fd1369fe9d8891adfeeee44fcf2505a99e01228464cae9fcb87ba6b343b7963859b94b385fc8dba15cb6fed55c26e9458bac59d0b7c8b712e25

Download Submit
\Program Files (x86)\Windows Media Player\wmplayer.exe
Filesize
300KB

MD5
efc9432d9fcbd62bbdf83c528d31a065

SHA1
67ed1babaf693e64a529a84e9081ad1c79202a65

SHA256
049cc8826576e31637ad69e433bdb1442d0ab36c24703708721352c9f5e42e44

SHA512
0a2e776677274fd1369fe9d8891adfeeee44fcf2505a99e01228464cae9fcb87ba6b343b7963859b94b385fc8dba15cb6fed55c26e9458bac59d0b7c8b712e25

Download Submit
\Program Files (x86)\Windows Media Player\wmplayer.exe
Filesize
300KB

MD5
efc9432d9fcbd62bbdf83c528d31a065

SHA1
67ed1babaf693e64a529a84e9081ad1c79202a65

SHA256
049cc8826576e31637ad69e433bdb1442d0ab36c24703708721352c9f5e42e44

SHA512
0a2e776677274fd1369fe9d8891adfeeee44fcf2505a99e01228464cae9fcb87ba6b343b7963859b94b385fc8dba15cb6fed55c26e9458bac59d0b7c8b712e25

Download Submit
memory/1720-62-0x00000000001F0000-0x0000000000224000-memory.dmp

Filesize
208KB

Download
memory/1720-65-0x0000000000D90000-0x0000000000DD4000-memory.dmp

Filesize
272KB

Download
memory/1720-66-0x00000000001F0000-0x000000000023C000-memory.dmp

Filesize
304KB

Download
memory/1720-64-0x0000000000CC0000-0x0000000000EB7000-memory.dmp

Filesize
2.0MB

Download
memory/1720-63-0x00000000001F0000-0x000000000022C000-memory.dmp

Filesize
240KB

Download
memory/1720-54-0x0000000076221000-0x0000000076223000-memory.dmp

Filesize
8KB

Download
memory/1720-61-0x0000000001000000-0x0000000001039000-memory.dmp

Filesize
228KB

Download
memory/1720-71-0x0000000001000000-0x0000000001039000-memory.dmp

Filesize
228KB

Download
memory/1720-72-0x0000000000C10000-0x0000000000C64000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads