8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2023 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Size

5.1MB
MD5

abd60ea9357ed25a18723aa9edf77171
SHA1

dab5fd418b793eacd8efa0baf005bd10f026a7b9
SHA256

8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721
SHA512

485f7243ed9701c593d6df5d14e6b135d87a26d20e83243c63fc219078f32d8f2bde9bd55ca88e85c70ce09ff29f70ed04977b1a1a02b7d4c85d861ddbe37a44
SSDEEP

98304:ANFWSfLtP8wZXk6AiSef1LLb7Q2ucRvFKwVvelYNVQkeFM0oTkJ6U2S2:IFNVRkOh1Lk2ldKQ2lsVQvG

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
1476	ÂÌÉ«¹«Òæ(¹ý°×).exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3260	ÂÌÉ«¹«Òæ(¹ý°×).exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3832	ÂÌÉ«¹«Òæ(¹ý°×).exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2560-0-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/memory/2560-2-0x0000000001710000-0x000000000171B000-memory.dmp	upx
behavioral2/memory/2560-4-0x0000000001720000-0x000000000172B000-memory.dmp	upx
behavioral2/memory/2560-6-0x0000000002F70000-0x0000000002F78000-memory.dmp	upx
behavioral2/files/0x0001000000000031-29.dat	upx
behavioral2/files/0x0001000000000031-31.dat	upx
behavioral2/memory/2560-32-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/memory/2560-33-0x0000000001710000-0x000000000171B000-memory.dmp	upx
behavioral2/memory/2560-34-0x0000000001720000-0x000000000172B000-memory.dmp	upx
behavioral2/memory/3884-36-0x00000000014D0000-0x00000000014DB000-memory.dmp	upx
behavioral2/memory/3884-38-0x00000000014E0000-0x00000000014EB000-memory.dmp	upx
behavioral2/memory/3884-40-0x0000000001500000-0x0000000001508000-memory.dmp	upx
behavioral2/memory/3884-59-0x0000000001500000-0x0000000001508000-memory.dmp	upx
behavioral2/files/0x0001000000000032-71.dat	upx
behavioral2/files/0x0001000000000032-72.dat	upx
behavioral2/memory/3884-73-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/memory/1476-74-0x0000000000400000-0x0000000001098000-memory.dmp	upx
behavioral2/memory/1476-75-0x0000000000400000-0x0000000001098000-memory.dmp	upx
behavioral2/memory/3884-77-0x00000000014D0000-0x00000000014DB000-memory.dmp	upx
behavioral2/memory/3884-80-0x00000000014E0000-0x00000000014EB000-memory.dmp	upx
behavioral2/memory/1476-81-0x0000000000400000-0x0000000001098000-memory.dmp	upx
behavioral2/files/0x0001000000000031-84.dat	upx
behavioral2/memory/2636-85-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/memory/3884-86-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/memory/3884-112-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/memory/2636-114-0x0000000002EF0000-0x0000000002EFB000-memory.dmp	upx
behavioral2/memory/2636-116-0x0000000002F00000-0x0000000002F0B000-memory.dmp	upx
behavioral2/memory/2636-118-0x0000000002F10000-0x0000000002F18000-memory.dmp	upx
behavioral2/memory/2636-138-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/files/0x0001000000000032-151.dat	upx
behavioral2/memory/3260-152-0x0000000000400000-0x0000000001098000-memory.dmp	upx
behavioral2/memory/2636-153-0x0000000002EF0000-0x0000000002EFB000-memory.dmp	upx
behavioral2/memory/2636-155-0x0000000002F00000-0x0000000002F0B000-memory.dmp	upx
behavioral2/files/0x0001000000000032-156.dat	upx
behavioral2/memory/2636-159-0x0000000002F10000-0x0000000002F18000-memory.dmp	upx
behavioral2/memory/3260-163-0x0000000000400000-0x0000000001098000-memory.dmp	upx
behavioral2/files/0x0001000000000031-165.dat	upx
behavioral2/memory/3876-166-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/memory/3876-170-0x00000000014F0000-0x00000000014F8000-memory.dmp	upx
behavioral2/memory/2636-215-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/memory/3876-216-0x0000000000400000-0x00000000010F3000-memory.dmp	upx
behavioral2/files/0x0001000000000032-225.dat	upx
behavioral2/files/0x0001000000000032-229.dat	upx
behavioral2/memory/3876-230-0x00000000014D0000-0x00000000014DB000-memory.dmp	upx
behavioral2/memory/3832-231-0x0000000000400000-0x0000000001098000-memory.dmp	upx
behavioral2/memory/3876-232-0x00000000014E0000-0x00000000014EB000-memory.dmp	upx
behavioral2/memory/3876-233-0x00000000014F0000-0x00000000014F8000-memory.dmp	upx
behavioral2/files/0x0001000000000032-236.dat	upx
behavioral2/memory/3832-241-0x0000000000400000-0x0000000001098000-memory.dmp	upx
behavioral2/memory/3876-267-0x0000000000400000-0x00000000010F3000-memory.dmp	upx

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
File opened (read-only)	\??\F:	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
File opened (read-only)	\??\F:	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
File opened for modification	\??\PhysicalDrive0	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
File opened for modification	\??\PhysicalDrive0	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
Token: SeDebugPrivilege	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 3884	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	82
PID 2560 wrote to memory of 3884	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	82
PID 2560 wrote to memory of 3884	2560	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	82
PID 3884 wrote to memory of 1476	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	88
PID 3884 wrote to memory of 1476	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	88
PID 3884 wrote to memory of 1476	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	88
PID 3884 wrote to memory of 2636	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	90
PID 3884 wrote to memory of 2636	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	90
PID 3884 wrote to memory of 2636	3884	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	90
PID 2636 wrote to memory of 3260	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	94
PID 2636 wrote to memory of 3260	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	94
PID 2636 wrote to memory of 3260	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	94
PID 2636 wrote to memory of 3876	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	95
PID 2636 wrote to memory of 3876	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	95
PID 2636 wrote to memory of 3876	2636	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	95
PID 3876 wrote to memory of 3832	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	98
PID 3876 wrote to memory of 3832	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	98
PID 3876 wrote to memory of 3832	3876	8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe	98

C:\Users\Admin\AppData\Local\Temp\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
"C:\Users\Admin\AppData\Local\Temp\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
  "F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3884
- - F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe
    "F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe"
    3⤵
    - Executes dropped EXE
    PID:1476
- - F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
    F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe
      "F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe"
      4⤵
      Executes dropped EXE
      PID:3260
  - - F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
      F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3876
    - - F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe
        
        "F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe"
        5⤵
        Executes dropped EXE
        
        PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Filesize
5.1MB

MD5
abd60ea9357ed25a18723aa9edf77171

SHA1
dab5fd418b793eacd8efa0baf005bd10f026a7b9

SHA256
8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721

SHA512
485f7243ed9701c593d6df5d14e6b135d87a26d20e83243c63fc219078f32d8f2bde9bd55ca88e85c70ce09ff29f70ed04977b1a1a02b7d4c85d861ddbe37a44

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Filesize
5.1MB

MD5
abd60ea9357ed25a18723aa9edf77171

SHA1
dab5fd418b793eacd8efa0baf005bd10f026a7b9

SHA256
8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721

SHA512
485f7243ed9701c593d6df5d14e6b135d87a26d20e83243c63fc219078f32d8f2bde9bd55ca88e85c70ce09ff29f70ed04977b1a1a02b7d4c85d861ddbe37a44

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Filesize
5.1MB

MD5
abd60ea9357ed25a18723aa9edf77171

SHA1
dab5fd418b793eacd8efa0baf005bd10f026a7b9

SHA256
8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721

SHA512
485f7243ed9701c593d6df5d14e6b135d87a26d20e83243c63fc219078f32d8f2bde9bd55ca88e85c70ce09ff29f70ed04977b1a1a02b7d4c85d861ddbe37a44

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721.exe

Filesize
5.1MB

MD5
abd60ea9357ed25a18723aa9edf77171

SHA1
dab5fd418b793eacd8efa0baf005bd10f026a7b9

SHA256
8b8f7c7e733b807c7c90c48be3b7e74a0cca8cac834997c931609ae31a9c7721

SHA512
485f7243ed9701c593d6df5d14e6b135d87a26d20e83243c63fc219078f32d8f2bde9bd55ca88e85c70ce09ff29f70ed04977b1a1a02b7d4c85d861ddbe37a44

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\Hero.ini

Filesize
59B

MD5
1bef43b38e175d067de109961b9bce23

SHA1
0d7457037f66d3a8442db17c133c160e90dd1ce0

SHA256
7af9168959b1f2d43a8c6875f26972bfaa2c0b0ba2a671b64eb1340d8eae71de

SHA512
edfc406903af839c62dfbef0e6091695c0c6762d3c5cbda4f1c8b396921437c9f8f2b5c9918939026ef430d565986703fd8a587c8f63b7d85dbe07a7ae511750

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\Hero.ini

Filesize
59B

MD5
1bef43b38e175d067de109961b9bce23

SHA1
0d7457037f66d3a8442db17c133c160e90dd1ce0

SHA256
7af9168959b1f2d43a8c6875f26972bfaa2c0b0ba2a671b64eb1340d8eae71de

SHA512
edfc406903af839c62dfbef0e6091695c0c6762d3c5cbda4f1c8b396921437c9f8f2b5c9918939026ef430d565986703fd8a587c8f63b7d85dbe07a7ae511750

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\Hero.ini

Filesize
59B

MD5
bfaa3ba61c6a8e02b0d7499938cd6ad8

SHA1
ed1a513f356e9ec535d6dd828605cbbd207229cb

SHA256
33687864d97c577792e6193d0d8e0c2b7857328a3216e47dec0e3c57abfafb9f

SHA512
4c1cb2127d45262fd151abf63b583896881a61c31e5d3a7a27a0a7b174787c8a63ccefee06aa9c34ce69978c080a530d5e0b2b33020a8a8faba7c87dfc967347

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe

Filesize
5.3MB

MD5
076579896c948e1c2d6828c985a13aac

SHA1
f61da398669160ef6dbfbe71fb0bf01c262e541a

SHA256
07d004e5eb5719b6ae236cad6dc4c850e27ff99054b4ebebd2ff0137291069fd

SHA512
737279195a8feb9aef460bd86688ea0a7bc0be3c900ceed132107ee878bf0503723a50ea85c6e2d003c903027c920bad5e82c78d1c16d925b75231f788a45d8d

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe

Filesize
5.3MB

MD5
076579896c948e1c2d6828c985a13aac

SHA1
f61da398669160ef6dbfbe71fb0bf01c262e541a

SHA256
07d004e5eb5719b6ae236cad6dc4c850e27ff99054b4ebebd2ff0137291069fd

SHA512
737279195a8feb9aef460bd86688ea0a7bc0be3c900ceed132107ee878bf0503723a50ea85c6e2d003c903027c920bad5e82c78d1c16d925b75231f788a45d8d

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe

Filesize
5.3MB

MD5
076579896c948e1c2d6828c985a13aac

SHA1
f61da398669160ef6dbfbe71fb0bf01c262e541a

SHA256
07d004e5eb5719b6ae236cad6dc4c850e27ff99054b4ebebd2ff0137291069fd

SHA512
737279195a8feb9aef460bd86688ea0a7bc0be3c900ceed132107ee878bf0503723a50ea85c6e2d003c903027c920bad5e82c78d1c16d925b75231f788a45d8d

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe

Filesize
5.3MB

MD5
076579896c948e1c2d6828c985a13aac

SHA1
f61da398669160ef6dbfbe71fb0bf01c262e541a

SHA256
07d004e5eb5719b6ae236cad6dc4c850e27ff99054b4ebebd2ff0137291069fd

SHA512
737279195a8feb9aef460bd86688ea0a7bc0be3c900ceed132107ee878bf0503723a50ea85c6e2d003c903027c920bad5e82c78d1c16d925b75231f788a45d8d

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe

Filesize
5.3MB

MD5
076579896c948e1c2d6828c985a13aac

SHA1
f61da398669160ef6dbfbe71fb0bf01c262e541a

SHA256
07d004e5eb5719b6ae236cad6dc4c850e27ff99054b4ebebd2ff0137291069fd

SHA512
737279195a8feb9aef460bd86688ea0a7bc0be3c900ceed132107ee878bf0503723a50ea85c6e2d003c903027c920bad5e82c78d1c16d925b75231f788a45d8d

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe

Filesize
5.3MB

MD5
076579896c948e1c2d6828c985a13aac

SHA1
f61da398669160ef6dbfbe71fb0bf01c262e541a

SHA256
07d004e5eb5719b6ae236cad6dc4c850e27ff99054b4ebebd2ff0137291069fd

SHA512
737279195a8feb9aef460bd86688ea0a7bc0be3c900ceed132107ee878bf0503723a50ea85c6e2d003c903027c920bad5e82c78d1c16d925b75231f788a45d8d

Download Submit
F:\ÂÌÉ«¹«Òæ(Î¢¶Ë)\ÂÌÉ«¹«Òæ(¹ý°×).exe

Filesize
5.3MB

MD5
076579896c948e1c2d6828c985a13aac

SHA1
f61da398669160ef6dbfbe71fb0bf01c262e541a

SHA256
07d004e5eb5719b6ae236cad6dc4c850e27ff99054b4ebebd2ff0137291069fd

SHA512
737279195a8feb9aef460bd86688ea0a7bc0be3c900ceed132107ee878bf0503723a50ea85c6e2d003c903027c920bad5e82c78d1c16d925b75231f788a45d8d

Download Submit
memory/1476-74-0x0000000000400000-0x0000000001098000-memory.dmp

Filesize
12.6MB

Download
memory/1476-82-0x00000000035D0000-0x0000000003687000-memory.dmp

Filesize
732KB

Download
memory/1476-81-0x0000000000400000-0x0000000001098000-memory.dmp

Filesize
12.6MB

Download
memory/1476-78-0x00000000035D0000-0x0000000003687000-memory.dmp

Filesize
732KB

Download
memory/1476-76-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1476-75-0x0000000000400000-0x0000000001098000-memory.dmp

Filesize
12.6MB

Download
memory/2560-6-0x0000000002F70000-0x0000000002F78000-memory.dmp

Filesize
32KB

Download
memory/2560-34-0x0000000001720000-0x000000000172B000-memory.dmp

Filesize
44KB

Download
memory/2560-7-0x0000000002F80000-0x0000000002F87000-memory.dmp

Filesize
28KB

Download
memory/2560-8-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/2560-4-0x0000000001720000-0x000000000172B000-memory.dmp

Filesize
44KB

Download
memory/2560-9-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2560-0-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/2560-32-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/2560-33-0x0000000001710000-0x000000000171B000-memory.dmp

Filesize
44KB

Download
memory/2560-2-0x0000000001710000-0x000000000171B000-memory.dmp

Filesize
44KB

Download
memory/2636-119-0x0000000002F20000-0x0000000002F27000-memory.dmp

Filesize
28KB

Download
memory/2636-153-0x0000000002EF0000-0x0000000002EFB000-memory.dmp

Filesize
44KB

Download
memory/2636-215-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/2636-114-0x0000000002EF0000-0x0000000002EFB000-memory.dmp

Filesize
44KB

Download
memory/2636-116-0x0000000002F00000-0x0000000002F0B000-memory.dmp

Filesize
44KB

Download
memory/2636-118-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/2636-161-0x0000000002F20000-0x0000000002F27000-memory.dmp

Filesize
28KB

Download
memory/2636-159-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/2636-138-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/2636-85-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/2636-155-0x0000000002F00000-0x0000000002F0B000-memory.dmp

Filesize
44KB

Download
memory/3260-157-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/3260-152-0x0000000000400000-0x0000000001098000-memory.dmp

Filesize
12.6MB

Download
memory/3260-158-0x00000000035A0000-0x0000000003657000-memory.dmp

Filesize
732KB

Download
memory/3260-163-0x0000000000400000-0x0000000001098000-memory.dmp

Filesize
12.6MB

Download
memory/3832-238-0x0000000003610000-0x00000000036C7000-memory.dmp

Filesize
732KB

Download
memory/3832-241-0x0000000000400000-0x0000000001098000-memory.dmp

Filesize
12.6MB

Download
memory/3832-235-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/3832-231-0x0000000000400000-0x0000000001098000-memory.dmp

Filesize
12.6MB

Download
memory/3876-170-0x00000000014F0000-0x00000000014F8000-memory.dmp

Filesize
32KB

Download
memory/3876-233-0x00000000014F0000-0x00000000014F8000-memory.dmp

Filesize
32KB

Download
memory/3876-267-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/3876-172-0x0000000001500000-0x0000000001507000-memory.dmp

Filesize
28KB

Download
memory/3876-237-0x0000000001500000-0x0000000001507000-memory.dmp

Filesize
28KB

Download
memory/3876-166-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/3876-216-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/3876-232-0x00000000014E0000-0x00000000014EB000-memory.dmp

Filesize
44KB

Download
memory/3876-230-0x00000000014D0000-0x00000000014DB000-memory.dmp

Filesize
44KB

Download
memory/3884-73-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/3884-61-0x0000000002F30000-0x0000000002F37000-memory.dmp

Filesize
28KB

Download
memory/3884-59-0x0000000001500000-0x0000000001508000-memory.dmp

Filesize
32KB

Download
memory/3884-77-0x00000000014D0000-0x00000000014DB000-memory.dmp

Filesize
44KB

Download
memory/3884-80-0x00000000014E0000-0x00000000014EB000-memory.dmp

Filesize
44KB

Download
memory/3884-41-0x0000000002F30000-0x0000000002F37000-memory.dmp

Filesize
28KB

Download
memory/3884-40-0x0000000001500000-0x0000000001508000-memory.dmp

Filesize
32KB

Download
memory/3884-86-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download
memory/3884-38-0x00000000014E0000-0x00000000014EB000-memory.dmp

Filesize
44KB

Download
memory/3884-36-0x00000000014D0000-0x00000000014DB000-memory.dmp

Filesize
44KB

Download
memory/3884-112-0x0000000000400000-0x00000000010F3000-memory.dmp

Filesize
12.9MB

Download