a18457469d087017a65d5faac4a1e529d20d409305ba832acec2bfc04b13e076

Analysis

max time kernel
3s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0544b576c9eb86795101fdb3214b4597.exe
Size

16KB
MD5

0544b576c9eb86795101fdb3214b4597
SHA1

d7c5d62fb5faaed5afbf2b4ef400204ecee2e641
SHA256

a18457469d087017a65d5faac4a1e529d20d409305ba832acec2bfc04b13e076
SHA512

55a1294b9566014e4e45eeadcc99c0356f274ac305e9ab985ebfcc14c352c2d52bda862618033b1da5e1ce9c97702d9bcc8c5747e82c7bd8a8961bad8f1d64e3
SSDEEP

384:IK766GhJ2MhwwY0ruPJlvVxJ859xJDIdsYhcOYb3:+/zhwwY06PJxW5pDIADr

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4016	pldhadwd.exe
2664	pldhadwd.exe
2868	pldhadwd.exe
2608	pldhadwd.exe
1928	pldhadwd.exe
1336	pldhadwd.exe
2184	pldhadwd.exe
2552	pldhadwd.exe

Loads dropped DLL 16 IoCs

pid	Process
1948	0544b576c9eb86795101fdb3214b4597.exe
1948	0544b576c9eb86795101fdb3214b4597.exe
4016	pldhadwd.exe
4016	pldhadwd.exe
2664	pldhadwd.exe
2664	pldhadwd.exe
2868	pldhadwd.exe
2868	pldhadwd.exe
2608	pldhadwd.exe
2608	pldhadwd.exe
1928	pldhadwd.exe
1928	pldhadwd.exe
1336	pldhadwd.exe
1336	pldhadwd.exe
2184	pldhadwd.exe
2184	pldhadwd.exe

Installs/modifies Browser Helper Object 2 TTPs 18 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	0544b576c9eb86795101fdb3214b4597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	0544b576c9eb86795101fdb3214b4597.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}\ = "mndhfdwd.dll"	pldhadwd.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	0544b576c9eb86795101fdb3214b4597.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	0544b576c9eb86795101fdb3214b4597.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	pldhadwd.exe
File created	C:\Windows\SysWOW64\pldhadwd.exe	0544b576c9eb86795101fdb3214b4597.exe
File created	C:\Windows\SysWOW64\mndhfdwd.dll	0544b576c9eb86795101fdb3214b4597.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	0544b576c9eb86795101fdb3214b4597.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	0544b576c9eb86795101fdb3214b4597.exe
File opened for modification	C:\Windows\SysWOW64\mndhfdwd.dll	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\pldhadwd.exe	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	pldhadwd.exe
File opened for modification	C:\Windows\SysWOW64\gsdhadwd.sys	pldhadwd.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	0544b576c9eb86795101fdb3214b4597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	0544b576c9eb86795101fdb3214b4597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}	0544b576c9eb86795101fdb3214b4597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0544b576c9eb86795101fdb3214b4597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	0544b576c9eb86795101fdb3214b4597.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0544b576c9eb86795101fdb3214b4597.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ThreadingModel = "Apartment"	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	pldhadwd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32	pldhadwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C648541-1025-9650-9057-6541258720C6}\InprocServer32\ = "C:\\Windows\\SysWow64\\mndhfdwd.dll"	pldhadwd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1948	0544b576c9eb86795101fdb3214b4597.exe
1948	0544b576c9eb86795101fdb3214b4597.exe
1948	0544b576c9eb86795101fdb3214b4597.exe
4016	pldhadwd.exe
2664	pldhadwd.exe
2868	pldhadwd.exe
2608	pldhadwd.exe
1928	pldhadwd.exe
1336	pldhadwd.exe
2184	pldhadwd.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	0544b576c9eb86795101fdb3214b4597.exe
Token: SeDebugPrivilege	4016	pldhadwd.exe
Token: SeDebugPrivilege	2664	pldhadwd.exe
Token: SeDebugPrivilege	2868	pldhadwd.exe
Token: SeDebugPrivilege	2608	pldhadwd.exe
Token: SeDebugPrivilege	1928	pldhadwd.exe
Token: SeDebugPrivilege	1336	pldhadwd.exe
Token: SeDebugPrivilege	2184	pldhadwd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 3064	1948	0544b576c9eb86795101fdb3214b4597.exe	29
PID 1948 wrote to memory of 3064	1948	0544b576c9eb86795101fdb3214b4597.exe	29
PID 1948 wrote to memory of 3064	1948	0544b576c9eb86795101fdb3214b4597.exe	29
PID 1948 wrote to memory of 3064	1948	0544b576c9eb86795101fdb3214b4597.exe	29
PID 1948 wrote to memory of 4016	1948	0544b576c9eb86795101fdb3214b4597.exe	115
PID 1948 wrote to memory of 4016	1948	0544b576c9eb86795101fdb3214b4597.exe	115
PID 1948 wrote to memory of 4016	1948	0544b576c9eb86795101fdb3214b4597.exe	115
PID 1948 wrote to memory of 4016	1948	0544b576c9eb86795101fdb3214b4597.exe	115
PID 4016 wrote to memory of 4092	4016	pldhadwd.exe	114
PID 4016 wrote to memory of 4092	4016	pldhadwd.exe	114
PID 4016 wrote to memory of 4092	4016	pldhadwd.exe	114
PID 4016 wrote to memory of 4092	4016	pldhadwd.exe	114
PID 4016 wrote to memory of 2664	4016	pldhadwd.exe	112
PID 4016 wrote to memory of 2664	4016	pldhadwd.exe	112
PID 4016 wrote to memory of 2664	4016	pldhadwd.exe	112
PID 4016 wrote to memory of 2664	4016	pldhadwd.exe	112
PID 2664 wrote to memory of 2928	2664	pldhadwd.exe	111
PID 2664 wrote to memory of 2928	2664	pldhadwd.exe	111
PID 2664 wrote to memory of 2928	2664	pldhadwd.exe	111
PID 2664 wrote to memory of 2928	2664	pldhadwd.exe	111
PID 2664 wrote to memory of 2868	2664	pldhadwd.exe	109
PID 2664 wrote to memory of 2868	2664	pldhadwd.exe	109
PID 2664 wrote to memory of 2868	2664	pldhadwd.exe	109
PID 2664 wrote to memory of 2868	2664	pldhadwd.exe	109
PID 2868 wrote to memory of 2692	2868	pldhadwd.exe	108
PID 2868 wrote to memory of 2692	2868	pldhadwd.exe	108
PID 2868 wrote to memory of 2692	2868	pldhadwd.exe	108
PID 2868 wrote to memory of 2692	2868	pldhadwd.exe	108
PID 2868 wrote to memory of 2608	2868	pldhadwd.exe	106
PID 2868 wrote to memory of 2608	2868	pldhadwd.exe	106
PID 2868 wrote to memory of 2608	2868	pldhadwd.exe	106
PID 2868 wrote to memory of 2608	2868	pldhadwd.exe	106
PID 2608 wrote to memory of 2912	2608	pldhadwd.exe	105
PID 2608 wrote to memory of 2912	2608	pldhadwd.exe	105
PID 2608 wrote to memory of 2912	2608	pldhadwd.exe	105
PID 2608 wrote to memory of 2912	2608	pldhadwd.exe	105
PID 2608 wrote to memory of 1928	2608	pldhadwd.exe	103
PID 2608 wrote to memory of 1928	2608	pldhadwd.exe	103
PID 2608 wrote to memory of 1928	2608	pldhadwd.exe	103
PID 2608 wrote to memory of 1928	2608	pldhadwd.exe	103
PID 1928 wrote to memory of 580	1928	pldhadwd.exe	102
PID 1928 wrote to memory of 580	1928	pldhadwd.exe	102
PID 1928 wrote to memory of 580	1928	pldhadwd.exe	102
PID 1928 wrote to memory of 580	1928	pldhadwd.exe	102
PID 1928 wrote to memory of 1336	1928	pldhadwd.exe	100
PID 1928 wrote to memory of 1336	1928	pldhadwd.exe	100
PID 1928 wrote to memory of 1336	1928	pldhadwd.exe	100
PID 1928 wrote to memory of 1336	1928	pldhadwd.exe	100
PID 1336 wrote to memory of 1940	1336	pldhadwd.exe	99
PID 1336 wrote to memory of 1940	1336	pldhadwd.exe	99
PID 1336 wrote to memory of 1940	1336	pldhadwd.exe	99
PID 1336 wrote to memory of 1940	1336	pldhadwd.exe	99
PID 1336 wrote to memory of 2184	1336	pldhadwd.exe	97
PID 1336 wrote to memory of 2184	1336	pldhadwd.exe	97
PID 1336 wrote to memory of 2184	1336	pldhadwd.exe	97
PID 1336 wrote to memory of 2184	1336	pldhadwd.exe	97
PID 2184 wrote to memory of 2632	2184	pldhadwd.exe	96
PID 2184 wrote to memory of 2632	2184	pldhadwd.exe	96
PID 2184 wrote to memory of 2632	2184	pldhadwd.exe	96
PID 2184 wrote to memory of 2632	2184	pldhadwd.exe	96
PID 2184 wrote to memory of 2552	2184	pldhadwd.exe	94
PID 2184 wrote to memory of 2552	2184	pldhadwd.exe	94
PID 2184 wrote to memory of 2552	2184	pldhadwd.exe	94
PID 2184 wrote to memory of 2552	2184	pldhadwd.exe	94

C:\Users\Admin\AppData\Local\Temp\0544b576c9eb86795101fdb3214b4597.exe
"C:\Users\Admin\AppData\Local\Temp\0544b576c9eb86795101fdb3214b4597.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433079.bat
  2⤵
  PID:3064
- C:\Windows\SysWOW64\pldhadwd.exe
  C:\Windows\system32\pldhadwd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464404.bat
    3⤵
    PID:6888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259482921.bat
  2⤵
  PID:5884

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259434124.bat
1⤵
PID:2400

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259436121.bat
  2⤵
  PID:652
- C:\Windows\SysWOW64\pldhadwd.exe
  C:\Windows\system32\pldhadwd.exe
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\pldhadwd.exe
    C:\Windows\system32\pldhadwd.exe
    3⤵
    PID:2132
  - - C:\Windows\SysWOW64\pldhadwd.exe
      C:\Windows\system32\pldhadwd.exe
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259473717.bat
        5⤵
        
        PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441393.bat
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259472812.bat
      4⤵
      PID:6924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259440504.bat
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259471860.bat
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259470332.bat
  2⤵
  PID:6620

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259445449.bat
1⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259445824.bat
1⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259447493.bat
1⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259448179.bat
1⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259448928.bat
1⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259449287.bat
1⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259449490.bat
1⤵
PID:3188

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:3216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259449771.bat
  2⤵
  PID:3264
- C:\Windows\SysWOW64\pldhadwd.exe
  C:\Windows\system32\pldhadwd.exe
  2⤵
  PID:3292
- - C:\Windows\SysWOW64\pldhadwd.exe
    C:\Windows\system32\pldhadwd.exe
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450301.bat
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\pldhadwd.exe
      C:\Windows\system32\pldhadwd.exe
      4⤵
      PID:3456
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450551.bat
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        5⤵
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259481486.bat
        6⤵
        
        PID:4292
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259481392.bat
        5⤵
        
        PID:6728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480940.bat
      4⤵
      PID:7048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450036.bat
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480893.bat
    3⤵
    PID:6756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480597.bat
  2⤵
  PID:6680

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:3612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259451471.bat
  2⤵
  PID:3672
- C:\Windows\SysWOW64\pldhadwd.exe
  C:\Windows\system32\pldhadwd.exe
  2⤵
  PID:6228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259462064.bat
    3⤵
    PID:6316
- - C:\Windows\SysWOW64\pldhadwd.exe
    C:\Windows\system32\pldhadwd.exe
    3⤵
    PID:6984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259485230.bat
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\pldhadwd.exe
      C:\Windows\system32\pldhadwd.exe
      4⤵
      PID:6068
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259495245.bat
        5⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        5⤵
        
        PID:3648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259506415.bat
        6⤵
        
        PID:4356
      - C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        6⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259512686.bat
        7⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        7⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259514090.bat
        8⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        8⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259540906.bat
        9⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        9⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259558004.bat
        10⤵
        
        PID:296
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        10⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259559439.bat
        11⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        11⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259561218.bat
        12⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        12⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259565835.bat
        13⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        13⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259566600.bat
        14⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        14⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259569299.bat
        15⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        15⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259570640.bat
        16⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        16⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259573963.bat
        17⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        17⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259575071.bat
        18⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        18⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259576974.bat
        19⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        19⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259577816.bat
        20⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        20⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259579532.bat
        21⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        21⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259580796.bat
        22⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\pldhadwd.exe
        
        C:\Windows\system32\pldhadwd.exe
        22⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259581326.bat
        23⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259571030.bat
        8⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259549393.bat
        7⤵
        
        PID:4428
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259548067.bat
        6⤵
        
        PID:5944
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259539783.bat
        5⤵
        
        PID:6612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259529019.bat
      4⤵
      PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259515650.bat
    3⤵
    PID:6504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259484684.bat
  2⤵
  PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450769.bat
1⤵
PID:3596

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480581.bat
  2⤵
  PID:6960

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480019.bat
  2⤵
  PID:1180

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259479754.bat
  2⤵
  PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259448819.bat
1⤵
PID:2432

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259479380.bat
  2⤵
  PID:3848

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259479224.bat
  2⤵
  PID:3780

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259479036.bat
  2⤵
  PID:3080

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259476400.bat
  2⤵
  PID:7072

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259476400.bat
  2⤵
  PID:6520

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259443702.bat
1⤵
PID:2352

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259475948.bat
  2⤵
  PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259443312.bat
1⤵
PID:2644

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
PID:6076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259475214.bat
  2⤵
  PID:6840

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442704.bat
1⤵
PID:1648

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259466759.bat
  2⤵
  PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433983.bat
1⤵
PID:2632

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464872.bat
  2⤵
  PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433890.bat
1⤵
PID:1940

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464638.bat
  2⤵
  PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433843.bat
1⤵
PID:580

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464731.bat
  2⤵
  PID:5964

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433734.bat
1⤵
PID:2912

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464294.bat
  2⤵
  PID:5928

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433687.bat
1⤵
PID:2692

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464248.bat
  2⤵
  PID:4396

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433609.bat
1⤵
PID:2928

C:\Windows\SysWOW64\pldhadwd.exe
C:\Windows\system32\pldhadwd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464310.bat
  2⤵
  PID:5992

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433562.bat
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259442704.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259466759.bat

Filesize
121B

MD5
c43461dbb2f42af0dee63f44107fff1c

SHA1
f631382a6c7567f3b4b7b2a3f27aa79d0596d054

SHA256
6b30a06fc58e233e74e88e3f144f63a2ab13cd987f97102a86cc11908479e1b6

SHA512
cc75c92f84f7a7ca2c02c1b5e8e506cdd19d1180f58986e43e557295880d093100395c945edba2a76cf1b3f1fc51f51a8b2b9aad9df451ef6842bf19e4908bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259476400.bat

Filesize
242B

MD5
3adc5d45cdea208abce7ce9e827f7f23

SHA1
ff8b5e71f67c3b6784d81df74375d81a440977f3

SHA256
397285c3a6813ff2ad1597e8c2081e814136bd102f87716a6e934b93682693d2

SHA512
75f6af9c38e154fed40deda3c3e1565e05d57dd233776ba36477adb0a8dda9a4ae2591e3375e6f999ca5483394220f7dbc82c046fa1def4dc89b1b1049a22fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259482921.bat

Filesize
197B

MD5
fe8cf79f7379bb69f29ff4477c248ea3

SHA1
0fe2ca1087dcd53fdcecc874fa494dd4f056310a

SHA256
d647092293f0e68c3dc21382f2e4338fcb6fd1528e882f5bbe67cedae931a59b

SHA512
a573c3fc6efaf3f59215cdf2728bcfc741e68e29c77ded483537664f65891934e48fbf6b4cbe2aec1b9c25ee57ed0b4b0e3b95310a31cca79270b227b38e693c

Download Submit
C:\Windows\SysWOW64\gsdhadwd.sys

Filesize
520B

MD5
5ef99e061b8608f44171d7d594186db7

SHA1
cd241c2028aedd73f1d4c586f8480447dc55b7ba

SHA256
bca2dfa824e9a552ef86edf132b1b4590c149de08caef9e5e250b167928d7036

SHA512
49a4021951e001590b2e84f40eb9907f98aa00333bcb31ffcfbb73763cba23b2b917413e557301356276f9455ce35947215ef5ead54451875e707af9dd468bf6

Download Submit
C:\Windows\SysWOW64\mndhfdwd.dll

Filesize
524KB

MD5
27c3512ea1b9744204f50c55c2482cb9

SHA1
1f052f699c3a51ff36035efa8d2fad6b7400a99a

SHA256
80e74d3cb8bf3fa3f4a1cdebf6fd55b0934ed164e8a4dbfe9d7d2e07bd36dc58

SHA512
21ef64df661d62fe1a259eccfc5135b9a9ff5242b4598b1eaf3080e86887a1229715da311afa5a6b26b0f24d95153b59ef5538d5c9504a3a71623f85493ac0d5

Download Submit
C:\Windows\SysWOW64\mndhfdwd.dll

Filesize
524KB

MD5
66062aadff280f40108f451fe0825111

SHA1
302beae7175e40205878c107b8960652b175f185

SHA256
59de5f5862ad4bc7209dce7e246fca40447ec6d7bfffb41b0e8864900311bb14

SHA512
4b6588d8cca27fa3f9794bf6ffc1d6b7f02d7e43000534110b71cf295e7c7bbd93937e85a9abb539580b230a1615dea8e89a5d760a6334bd3fdcc0b60ac3d695

Download Submit
C:\Windows\SysWOW64\pldhadwd.exe

Filesize
16KB

MD5
0544b576c9eb86795101fdb3214b4597

SHA1
d7c5d62fb5faaed5afbf2b4ef400204ecee2e641

SHA256
a18457469d087017a65d5faac4a1e529d20d409305ba832acec2bfc04b13e076

SHA512
55a1294b9566014e4e45eeadcc99c0356f274ac305e9ab985ebfcc14c352c2d52bda862618033b1da5e1ce9c97702d9bcc8c5747e82c7bd8a8961bad8f1d64e3

Download Submit
memory/1052-2281-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1052-2231-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1736-2249-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1736-2290-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1736-2233-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1928-2202-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1928-1096-0x0000000000220000-0x000000000023A000-memory.dmp

Filesize
104KB

Download
memory/1948-1095-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1948-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1948-1108-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/1948-1026-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/1948-1033-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/1968-2250-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/1968-2298-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/2052-2311-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2052-2309-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2132-2241-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2132-2186-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2132-2185-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2132-2232-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2152-2204-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2184-2212-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/2184-1139-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/2184-1126-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/2356-2321-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/2356-2280-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/2356-2282-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/2356-2322-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/2552-1130-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2552-2214-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2608-2200-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2608-1083-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/2664-1060-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/2664-1156-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/2868-2187-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/2868-1071-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/2868-1072-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/2972-2265-0x00000000002E0000-0x00000000002FA000-memory.dmp

Filesize
104KB

Download
memory/2972-2300-0x00000000002E0000-0x00000000002FA000-memory.dmp

Filesize
104KB

Download
memory/3020-2230-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3020-1807-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3216-2308-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3216-2307-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3216-2339-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3292-2341-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3292-3357-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3292-2312-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3292-2310-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3352-3360-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3352-2320-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/3456-3805-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/3456-2330-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/3456-2331-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/3456-3804-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download
memory/3532-3808-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/3532-2340-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/3612-3359-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3612-3809-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3612-3358-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/3612-3908-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4016-1040-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4016-1048-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/4016-1143-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/6228-4517-0x0000000000270000-0x000000000028A000-memory.dmp

Filesize
104KB

Download