e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820

General

Target

e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe
Size

15.6MB
MD5

0cc7fce781f29893024c4ee445af66f8
SHA1

ac1815eda9243e64495f08128608b6a4315f0ea1
SHA256

e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820
SHA512

6e57a9261d2231a00400d4246fb49ee559b2151c4b730b85ef4758592f9a3d1f28367e6d6fea51ad3b271cf0b5747c4b4a8cf9885406d94c99597a79dd17c78a
SSDEEP

393216:iFmqhSX06HF3RUI2eg+uLd2dW4yI/QpCUOX:WFME6HNKI2SuLIdW4yI/QUUOX

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

FFF765507A88A.exe

pid process

1536 FFF765507A88A.exe

pid	process
1536	FFF765507A88A.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\H7F363\DBEDC536FCA\G8F6C56\CAE2gszFJ.dll	vmprotect
behavioral1/memory/1536-82-0x00000000710A0000-0x00000000712A9000-memory.dmp	vmprotect
behavioral1/memory/1536-83-0x00000000710A0000-0x00000000712A9000-memory.dmp	vmprotect
behavioral1/memory/1536-85-0x00000000710A0000-0x00000000712A9000-memory.dmp	vmprotect

Loads dropped DLL 4 IoCs

Processes:

e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exeFFF765507A88A.exe

pid	process
1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe
1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe

Drops file in System32 directory 2 IoCs

Processes:

FFF765507A88A.exe

description	ioc	process
File created	C:\Windows\SysWOW64\CDB8nswIH.sys	FFF765507A88A.exe
File opened for modification	C:\Windows\SysWOW64\CDB8nswIH.sys	FFF765507A88A.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe

description	pid	process	target process
PID 1808 set thread context of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe

Drops file in Program Files directory 2 IoCs

Processes:

e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\FFF765507A88A.exe	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe
File opened for modification	C:\Program Files (x86)\Common Files\FFF765507A88A.exe	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEFFF765507A88A.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376157752"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6CDB761-6CDB-11ED-A448-E20468906380} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TypedURLs	FFF765507A88A.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\ClearBrowsingHistoryOnExit = "1"	FFF765507A88A.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000ae2223ed6f77644944c19d55993b9dc00000000020000000000106600000001000020000000c280e1669617363c6b5d36af086225de789a2f7962605382150fc9f1a14b2441000000000e8000000002000020000000b783999db98c1b1e35721bf0f2236d65120510d0d46f2d1ab6a724a7f8eb48e090000000ea20cbe2eaee627789f2899264169371586739bfa1eea56fb94e3fc025bb1a6d8785260393114194ba0df6eec89ae430f7ab2201808f771c8bd7046c6b008e946d59e481cb30912d6928b80cb3b3399f481230e45c54fca2c0f19264264d3670420d33766a926b2122abb4177750726d8c8a9e81e5db2ed115ae510c7eb47b337584eff5241acce931acae0cae11a43f40000000b280c4e56f51997a1c43eb131bc7cea3ad65cf7cc62b19f1b0acf4179e2c3538259aa078e124a924dd47f60c5f7b4e4f2c07d833050200672df3bd92617fd8f4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanPassword = "1"	FFF765507A88A.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000ae2223ed6f77644944c19d55993b9dc00000000020000000000106600000001000020000000fc701d40fbf53db9a603d20fcb58760ee73e2a0d9471934067b23761432f9a90000000000e8000000002000020000000457e6fc46103c3d14fe66e71a55cae0aecf299b083cd55fe7d1ec249db08283120000000de2b6ed6a055092f0c590acbc665b2a9c8a7f846100f123809ce7eaebfc125a24000000041638bf2f178b47f6971ef79df46c8065c90c0c7802ea68bf89eaa0c2f176109f9f60e1d1d17350760fd99b4144540f0db57702a424ca9ac765ae11e3a8af512	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80cbd8dfe800d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanForms = "1"	FFF765507A88A.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	FFF765507A88A.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	FFF765507A88A.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanInPrivateBlocking = "1"	FFF765507A88A.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "1"	FFF765507A88A.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanHistory = "1"	FFF765507A88A.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\UseAllowList = "1"	FFF765507A88A.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	FFF765507A88A.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanTIF = "1"	FFF765507A88A.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	FFF765507A88A.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exeFFF765507A88A.exe

pid	process
1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1624	AUDIODG.EXE
Token: 33	1624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1624	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

FFF765507A88A.exeiexplore.exe

pid process

1536 FFF765507A88A.exe
1924 iexplore.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

FFF765507A88A.exe

pid process

1536 FFF765507A88A.exe

pid	process
1536	FFF765507A88A.exe
1924	iexplore.exe

pid	process
1536	FFF765507A88A.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exeFFF765507A88A.exeiexplore.exeIEXPLORE.EXE

pid	process
1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1536	FFF765507A88A.exe
1924	iexplore.exe
1924	iexplore.exe
572	IEXPLORE.EXE
572	IEXPLORE.EXE
572	IEXPLORE.EXE
572	IEXPLORE.EXE
1536	FFF765507A88A.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exeFFF765507A88A.exeiexplore.exe

description	pid	process	target process
PID 1808 wrote to memory of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe
PID 1808 wrote to memory of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe
PID 1808 wrote to memory of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe
PID 1808 wrote to memory of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe
PID 1808 wrote to memory of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe
PID 1808 wrote to memory of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe
PID 1808 wrote to memory of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe
PID 1808 wrote to memory of 1536	1808	e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe	FFF765507A88A.exe
PID 1536 wrote to memory of 1924	1536	FFF765507A88A.exe	iexplore.exe
PID 1536 wrote to memory of 1924	1536	FFF765507A88A.exe	iexplore.exe
PID 1536 wrote to memory of 1924	1536	FFF765507A88A.exe	iexplore.exe
PID 1536 wrote to memory of 1924	1536	FFF765507A88A.exe	iexplore.exe
PID 1924 wrote to memory of 572	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 572	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 572	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 572	1924	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe
"C:\Users\Admin\AppData\Local\Temp\e382e84e93e664ca59dff417783b4d6590d6e99c6dec501deccffbb1e71a1820.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files (x86)\Common Files\FFF765507A88A.exe
"C:\Program Files (x86)\Common Files\FFF765507A88A.exe" WfCSiyl7KCmSj3qDd3ySjx4eWi8qL5JifXkvgpKKe4Meknvp5uh75up75+l75OTqeS/r53p0dOrf5eXm6XjqeuTr59565Hvn53nkent5697fent5eXR0eHjfe+XfL9/m6N48eyZ7Tg==
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.longyingfz.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\FFF765507A88A.exe
Filesize
986KB

MD5
2dc7b890145800b3352e31ebaca97080

SHA1
519a8af15eb744a76602cb42b8f521ed898f508f

SHA256
be091533285a24e160ef6e1fc5439c8c9494968684fec50bb4dcacf2629c5a69

SHA512
a4876f3985710443ec18b17a4394c52e0132df0e6ec0016b4438ad1cbf680f9603378375763589c137e1f745f67355635651c46c29c7bc188297f6b3a5c371cd

Download Submit
C:\Program Files (x86)\Common Files\FFF765507A88A.exe
Filesize
986KB

MD5
2dc7b890145800b3352e31ebaca97080

SHA1
519a8af15eb744a76602cb42b8f521ed898f508f

SHA256
be091533285a24e160ef6e1fc5439c8c9494968684fec50bb4dcacf2629c5a69

SHA512
a4876f3985710443ec18b17a4394c52e0132df0e6ec0016b4438ad1cbf680f9603378375763589c137e1f745f67355635651c46c29c7bc188297f6b3a5c371cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
e5c04d14962260e4415fc084da63883b

SHA1
56469525b710b8fe5ae3ce1c7fbc375b6b57448d

SHA256
a9bcfacab5aae8ea1365ccdfb1138592a9cc07ce8fb301e83774a7a3c8541ad1

SHA512
82592e8d6ef318f18da4a52750608e711afc365e92329633f80b584ca1d27f2a596ad28745d6ae5f9ef4b4955b9a705e89775498a56ba657d5f242e4489cfd11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1VP89ETT.txt
Filesize
601B

MD5
f4264b82a84e50e57e1665280b87b0db

SHA1
0c6ea6407c5c9bee108e74c61aa76159c9204f0a

SHA256
2d3665233cf6026cccee0e99e796c9e5830b84aa9b64efc9e55713889a5150ba

SHA512
f4faf0357f427f1075a8adfd8011ded99ca9aaa4c65aabe5cb191bc689124e955849167402a8d0b6711819325b16627cedf07957f609414c72495a413af68c61

Download Submit
\Program Files (x86)\Common Files\FFF765507A88A.exe
Filesize
986KB

MD5
2dc7b890145800b3352e31ebaca97080

SHA1
519a8af15eb744a76602cb42b8f521ed898f508f

SHA256
be091533285a24e160ef6e1fc5439c8c9494968684fec50bb4dcacf2629c5a69

SHA512
a4876f3985710443ec18b17a4394c52e0132df0e6ec0016b4438ad1cbf680f9603378375763589c137e1f745f67355635651c46c29c7bc188297f6b3a5c371cd

Download Submit
\Program Files (x86)\Common Files\FFF765507A88A.exe
Filesize
986KB

MD5
2dc7b890145800b3352e31ebaca97080

SHA1
519a8af15eb744a76602cb42b8f521ed898f508f

SHA256
be091533285a24e160ef6e1fc5439c8c9494968684fec50bb4dcacf2629c5a69

SHA512
a4876f3985710443ec18b17a4394c52e0132df0e6ec0016b4438ad1cbf680f9603378375763589c137e1f745f67355635651c46c29c7bc188297f6b3a5c371cd

Download Submit
\Program Files (x86)\Common Files\FFF765507A88A.exe
Filesize
986KB

MD5
2dc7b890145800b3352e31ebaca97080

SHA1
519a8af15eb744a76602cb42b8f521ed898f508f

SHA256
be091533285a24e160ef6e1fc5439c8c9494968684fec50bb4dcacf2629c5a69

SHA512
a4876f3985710443ec18b17a4394c52e0132df0e6ec0016b4438ad1cbf680f9603378375763589c137e1f745f67355635651c46c29c7bc188297f6b3a5c371cd

Download Submit
\Users\Admin\AppData\Local\Temp\H7F363\DBEDC536FCA\G8F6C56\CAE2gszFJ.dll
Filesize
985KB

MD5
392ee99c148b36ef56962263bfd17f16

SHA1
ddbbc756730006395535391b18b363a69c1f6d6f

SHA256
9a3858679f0913ae289f3bbfa989bfc50069346321a06f568e0184fb04aa5930

SHA512
a72a41a0dd813e63eaf0ae131b9af57c065fee2555aa584047373c6188a3fbb1299bf8faa6f49139bdcb9d58e325fd68e16d924ef562a804d4016a87092471e0

Download Submit
memory/1536-61-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-60-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-67-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-68-0x00000000012D5726-mapping.dmp

Download
memory/1536-85-0x00000000710A0000-0x00000000712A9000-memory.dmp

Filesize
2.0MB

Download
memory/1536-83-0x00000000710A0000-0x00000000712A9000-memory.dmp

Filesize
2.0MB

Download
memory/1536-72-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-74-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-75-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-63-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-78-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-79-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1536-82-0x00000000710A0000-0x00000000712A9000-memory.dmp

Filesize
2.0MB

Download
memory/1536-64-0x0000000000400000-0x000000000220C000-memory.dmp

Filesize
30.0MB

Download
memory/1808-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1808-73-0x00000000008A0000-0x00000000026AC000-memory.dmp

Filesize
30.0MB

Download
memory/1808-65-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1808-57-0x00000000008A0000-0x00000000026AC000-memory.dmp

Filesize
30.0MB

Download
memory/1808-55-0x00000000008A0000-0x00000000026AC000-memory.dmp

Filesize
30.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads