20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad

Analysis

max time kernel
146s
max time network
137s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13/11/2023, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Size

4.7MB
MD5

13915da610f93292cfa38afe536eb0a2
SHA1

9d396a81a91c9077cb68f1053e853131fc51a289
SHA256

20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad
SHA512

d6ee50e4f06aa8b8d8333424cf413ef7ce64f3717d7d116fe2f2835d6c3bc1676c6b2bc01c513b134196ec7f1f3980acbcb25b1137e9062fca9327f978ccaf1f
SSDEEP

98304:abonGQFI38Ox3r2Xa/t9IGi6tb2swtHNfJkOAshs9Jqt2b9aanr:a6GQG38O9DWC2nfJvbeqtsUa

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1964	szcj.exe
2004	x64.exe
1544	szcj.exe

Loads dropped DLL 3 IoCs

pid	Process
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
1964	szcj.exe
1904	Process not Found

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2228-0-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2228-1-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2228-2-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-3-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2228-4-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-5-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-9-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-11-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-13-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-15-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-17-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-20-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-23-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-25-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-28-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-31-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-33-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-37-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-39-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-41-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-35-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-43-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-45-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-47-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-50-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2228-59-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-60-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-64-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-65-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-66-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-68-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-70-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-72-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-74-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-76-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-78-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-80-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-82-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-107-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-108-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2856-122-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-123-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-131-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-133-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-134-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-139-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-140-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-141-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-142-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-147-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-148-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-151-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-156-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-157-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-158-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-159-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-160-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-161-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-162-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-163-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-172-0x0000000000400000-0x0000000000E07000-memory.dmp	upx
behavioral1/memory/2856-189-0x0000000000400000-0x0000000000E07000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
1964	szcj.exe
1964	szcj.exe
1964	szcj.exe
1964	szcj.exe
1964	szcj.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2004	x64.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe
1544	szcj.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 1	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeCreateTokenPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeAssignPrimaryTokenPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeLockMemoryPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeIncreaseQuotaPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeMachineAccountPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeTcbPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeSecurityPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeTakeOwnershipPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeLoadDriverPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeSystemProfilePrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeSystemtimePrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeProfSingleProcessPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeIncBasePriorityPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeCreatePagefilePrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeCreatePermanentPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeBackupPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeRestorePrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeShutdownPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeDebugPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeAuditPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeSystemEnvironmentPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeChangeNotifyPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeRemoteShutdownPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeUndockPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeSyncAgentPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeEnableDelegationPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeManageVolumePrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeImpersonatePrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeCreateGlobalPrivilege	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 31	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 32	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 33	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 34	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 35	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 36	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 37	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 38	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 39	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 40	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 41	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 42	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 43	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 44	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 45	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 46	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 47	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 48	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeDebugPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: 1	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeCreateTokenPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeAssignPrimaryTokenPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeLockMemoryPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeIncreaseQuotaPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeMachineAccountPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeTcbPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeSecurityPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeTakeOwnershipPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeLoadDriverPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeSystemProfilePrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeSystemtimePrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeProfSingleProcessPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
Token: SeIncBasePriorityPrivilege	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
1964	szcj.exe
1964	szcj.exe
1544	szcj.exe
1544	szcj.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2856	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe	28
PID 2228 wrote to memory of 2856	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe	28
PID 2228 wrote to memory of 2856	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe	28
PID 2228 wrote to memory of 2856	2228	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe	28
PID 2856 wrote to memory of 1964	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe	33
PID 2856 wrote to memory of 1964	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe	33
PID 2856 wrote to memory of 1964	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe	33
PID 2856 wrote to memory of 1964	2856	20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe	33
PID 1964 wrote to memory of 2004	1964	szcj.exe	35
PID 1964 wrote to memory of 2004	1964	szcj.exe	35
PID 1964 wrote to memory of 2004	1964	szcj.exe	35
PID 1964 wrote to memory of 2004	1964	szcj.exe	35
PID 2004 wrote to memory of 424	2004	x64.exe	3
PID 2004 wrote to memory of 424	2004	x64.exe	3
PID 2004 wrote to memory of 424	2004	x64.exe	3
PID 2004 wrote to memory of 424	2004	x64.exe	3
PID 424 wrote to memory of 1544	424	winlogon.exe	36
PID 424 wrote to memory of 1544	424	winlogon.exe	36
PID 424 wrote to memory of 1544	424	winlogon.exe	36
PID 424 wrote to memory of 1544	424	winlogon.exe	36

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:424
- C:\Users\Admin\AppData\Local\Temp\szcj.exe
  C:\Users\Admin\AppData\Local\Temp\szcj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1544

C:\Users\Admin\AppData\Local\Temp\20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
"C:\Users\Admin\AppData\Local\Temp\20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe
  "C:\Users\Admin\AppData\Local\Temp\20e8e5674d2beef05f0cfdf0b50b0c6355a00c16fd1618e534daa85f1df9c9ad.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\szcj.exe
    "C:\Users\Admin\AppData\Local\Temp\szcj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\x64.exe
      C:\Users\Admin\AppData\Local\Temp\x64.exe "C:\Users\Admin\AppData\Local\Temp\szcj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szcj.exe

Filesize
3.1MB

MD5
ab0b36e41a99f654069181d5bd17732f

SHA1
e18cfb9085f471ffa03fe411773fc234c6522c23

SHA256
07f3e7f9daf1f4e1abe05393ed66caa866cc5e9464fb98f4c8ef7351b9433418

SHA512
2d481ff40dcc29474fea36f7718b3c8ce38807ac2c26fff608502cba8abbaf5940d6b60551b5fe90ee0407123a632b7d57208769188bdd13aa403b6449e58f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\szcj.exe

Filesize
3.1MB

MD5
ab0b36e41a99f654069181d5bd17732f

SHA1
e18cfb9085f471ffa03fe411773fc234c6522c23

SHA256
07f3e7f9daf1f4e1abe05393ed66caa866cc5e9464fb98f4c8ef7351b9433418

SHA512
2d481ff40dcc29474fea36f7718b3c8ce38807ac2c26fff608502cba8abbaf5940d6b60551b5fe90ee0407123a632b7d57208769188bdd13aa403b6449e58f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\szcj.exe

Filesize
3.1MB

MD5
ab0b36e41a99f654069181d5bd17732f

SHA1
e18cfb9085f471ffa03fe411773fc234c6522c23

SHA256
07f3e7f9daf1f4e1abe05393ed66caa866cc5e9464fb98f4c8ef7351b9433418

SHA512
2d481ff40dcc29474fea36f7718b3c8ce38807ac2c26fff608502cba8abbaf5940d6b60551b5fe90ee0407123a632b7d57208769188bdd13aa403b6449e58f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe

Filesize
16KB

MD5
2c938bf20d360971bae15b57e27d86d8

SHA1
772398deb3d1b2df3e435cc09096a076fefbc75a

SHA256
12aff77ff794ebc5c0d4de2db60c5196ff9c833be7ae28cb71d10713eaf0ae57

SHA512
d74550d4915900c3438cb7d5fe161237647638350f961fca23d812eededbb5fc2bb91543bd680c2af8c074ff64fc8015eed49c5774eb520cfcdca5a5303ea629

Download Submit
\Users\Admin\AppData\Local\Temp\szcj.exe

Filesize
3.1MB

MD5
ab0b36e41a99f654069181d5bd17732f

SHA1
e18cfb9085f471ffa03fe411773fc234c6522c23

SHA256
07f3e7f9daf1f4e1abe05393ed66caa866cc5e9464fb98f4c8ef7351b9433418

SHA512
2d481ff40dcc29474fea36f7718b3c8ce38807ac2c26fff608502cba8abbaf5940d6b60551b5fe90ee0407123a632b7d57208769188bdd13aa403b6449e58f3c

Download Submit
\Users\Admin\AppData\Local\Temp\x64.exe

Filesize
16KB

MD5
2c938bf20d360971bae15b57e27d86d8

SHA1
772398deb3d1b2df3e435cc09096a076fefbc75a

SHA256
12aff77ff794ebc5c0d4de2db60c5196ff9c833be7ae28cb71d10713eaf0ae57

SHA512
d74550d4915900c3438cb7d5fe161237647638350f961fca23d812eededbb5fc2bb91543bd680c2af8c074ff64fc8015eed49c5774eb520cfcdca5a5303ea629

Download Submit
\Users\Admin\AppData\Local\Temp\x64.exe

Filesize
16KB

MD5
2c938bf20d360971bae15b57e27d86d8

SHA1
772398deb3d1b2df3e435cc09096a076fefbc75a

SHA256
12aff77ff794ebc5c0d4de2db60c5196ff9c833be7ae28cb71d10713eaf0ae57

SHA512
d74550d4915900c3438cb7d5fe161237647638350f961fca23d812eededbb5fc2bb91543bd680c2af8c074ff64fc8015eed49c5774eb520cfcdca5a5303ea629

Download Submit
memory/424-203-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1544-204-0x0000000000400000-0x0000000000AE2000-memory.dmp

Filesize
6.9MB

Download
memory/1544-209-0x0000000000400000-0x0000000000AE2000-memory.dmp

Filesize
6.9MB

Download
memory/1544-210-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1964-190-0x0000000000400000-0x0000000000AE2000-memory.dmp

Filesize
6.9MB

Download
memory/1964-186-0x0000000000400000-0x0000000000AE2000-memory.dmp

Filesize
6.9MB

Download
memory/2228-37-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-47-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-20-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-23-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-25-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-28-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-31-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-33-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-13-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-39-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-41-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-35-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-43-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-45-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-15-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-50-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-54-0x0000000003E10000-0x0000000003E4C000-memory.dmp

Filesize
240KB

Download
memory/2228-58-0x0000000004470000-0x0000000004571000-memory.dmp

Filesize
1.0MB

Download
memory/2228-59-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2228-61-0x0000000004940000-0x0000000005347000-memory.dmp

Filesize
10.0MB

Download
memory/2228-62-0x0000000003E10000-0x0000000003E4C000-memory.dmp

Filesize
240KB

Download
memory/2228-11-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-9-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-5-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-4-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-3-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2228-2-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2228-1-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2228-0-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-115-0x00000000030C0000-0x00000000030FC000-memory.dmp

Filesize
240KB

Download
memory/2856-148-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-82-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-107-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-108-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-78-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-116-0x0000000004570000-0x0000000004671000-memory.dmp

Filesize
1.0MB

Download
memory/2856-117-0x0000000004680000-0x000000000487F000-memory.dmp

Filesize
2.0MB

Download
memory/2856-122-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-123-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-125-0x00000000778EE000-0x00000000778EF000-memory.dmp

Filesize
4KB

Download
memory/2856-126-0x00000000778ED000-0x00000000778EE000-memory.dmp

Filesize
4KB

Download
memory/2856-128-0x0000000005560000-0x000000000558B000-memory.dmp

Filesize
172KB

Download
memory/2856-129-0x0000000077901000-0x0000000077902000-memory.dmp

Filesize
4KB

Download
memory/2856-131-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-133-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-134-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-136-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2856-137-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2856-139-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-140-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-141-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-142-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-143-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download
memory/2856-144-0x00000000778F3000-0x00000000778F4000-memory.dmp

Filesize
4KB

Download
memory/2856-145-0x000000007790C000-0x000000007790D000-memory.dmp

Filesize
4KB

Download
memory/2856-147-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-80-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-151-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-156-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-157-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-158-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-159-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-160-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-161-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-162-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-163-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-76-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-172-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-177-0x00000000072D0000-0x00000000079B2000-memory.dmp

Filesize
6.9MB

Download
memory/2856-189-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-74-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-72-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-191-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-193-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-195-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-70-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-68-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-66-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-65-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-206-0x0000000005560000-0x000000000558B000-memory.dmp

Filesize
172KB

Download
memory/2856-207-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-208-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-64-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2856-60-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/2856-211-0x0000000076980000-0x0000000076A90000-memory.dmp

Filesize
1.1MB

Download