22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53474c750c9187e0490082d8e1c11a6d.exe
Size

418KB
MD5

53474c750c9187e0490082d8e1c11a6d
SHA1

a53490817cd28f7f9d3689c1dff73308e39ea8c0
SHA256

22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786
SHA512

77ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92
SSDEEP

12288:qINL5QskZOSBJRVhQKUN3iduyA3fpIyTCP/tkhDzOkZ:n5mZOoJPCF3iduy669ViDykZ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

53474c750c9187e0490082d8e1c11a6d.exewmiprvse.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	53474c750c9187e0490082d8e1c11a6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\53474c750c9187e0490082d8e1c11a6d.exe\""	53474c750c9187e0490082d8e1c11a6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\qTwtDMen.exe"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\pWthIloK.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\WLRvSBkn.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\KixHWsWV.exe"	reg.exe

Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

1272 svchost.exe
1864 svchost.exe
2264 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.exe

pid process

1964 53474c750c9187e0490082d8e1c11a6d.exe

pid	process
1272	svchost.exe
1864	svchost.exe
2264	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

53474c750c9187e0490082d8e1c11a6d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Adobe Startup Utility = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\53474c750c9187e0490082d8e1c11a6d.exe\""	53474c750c9187e0490082d8e1c11a6d.exe

Drops file in System32 directory 1 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe 53474c750c9187e0490082d8e1c11a6d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	53474c750c9187e0490082d8e1c11a6d.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.exe53474c750c9187e0490082d8e1c11a6d.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2476 set thread context of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 set thread context of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 1272 set thread context of 1864	1272	svchost.exe	svchost.exe
PID 1864 set thread context of 2264	1864	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.exe

pid	process
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe
1964	53474c750c9187e0490082d8e1c11a6d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.exe

description pid process

Token: SeDebugPrivilege 1964 53474c750c9187e0490082d8e1c11a6d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.exe

pid process

1964 53474c750c9187e0490082d8e1c11a6d.exe

description	pid	process
Token: SeDebugPrivilege	1964	53474c750c9187e0490082d8e1c11a6d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.execsc.execmd.exe53474c750c9187e0490082d8e1c11a6d.execsc.execmd.exe53474c750c9187e0490082d8e1c11a6d.exesvchost.execsc.exe

description	pid	process	target process
PID 2476 wrote to memory of 2848	2476	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 2476 wrote to memory of 2848	2476	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 2476 wrote to memory of 2848	2476	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 2476 wrote to memory of 2848	2476	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 2848 wrote to memory of 3028	2848	csc.exe	cvtres.exe
PID 2848 wrote to memory of 3028	2848	csc.exe	cvtres.exe
PID 2848 wrote to memory of 3028	2848	csc.exe	cvtres.exe
PID 2848 wrote to memory of 3028	2848	csc.exe	cvtres.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2588	2476	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2476 wrote to memory of 2616	2476	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 2476 wrote to memory of 2616	2476	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 2476 wrote to memory of 2616	2476	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 2476 wrote to memory of 2616	2476	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 2616 wrote to memory of 2288	2616	cmd.exe	wmiprvse.exe
PID 2616 wrote to memory of 2288	2616	cmd.exe	wmiprvse.exe
PID 2616 wrote to memory of 2288	2616	cmd.exe	wmiprvse.exe
PID 2616 wrote to memory of 2288	2616	cmd.exe	wmiprvse.exe
PID 2588 wrote to memory of 2104	2588	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 2588 wrote to memory of 2104	2588	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 2588 wrote to memory of 2104	2588	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 2588 wrote to memory of 2104	2588	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 2104 wrote to memory of 2880	2104	csc.exe	cvtres.exe
PID 2104 wrote to memory of 2880	2104	csc.exe	cvtres.exe
PID 2104 wrote to memory of 2880	2104	csc.exe	cvtres.exe
PID 2104 wrote to memory of 2880	2104	csc.exe	cvtres.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 1964	2588	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 2588 wrote to memory of 2828	2588	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 2588 wrote to memory of 2828	2588	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 2588 wrote to memory of 2828	2588	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 2588 wrote to memory of 2828	2588	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 2828 wrote to memory of 2900	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2900	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2900	2828	cmd.exe	reg.exe
PID 2828 wrote to memory of 2900	2828	cmd.exe	reg.exe
PID 1964 wrote to memory of 1272	1964	53474c750c9187e0490082d8e1c11a6d.exe	svchost.exe
PID 1964 wrote to memory of 1272	1964	53474c750c9187e0490082d8e1c11a6d.exe	svchost.exe
PID 1964 wrote to memory of 1272	1964	53474c750c9187e0490082d8e1c11a6d.exe	svchost.exe
PID 1964 wrote to memory of 1272	1964	53474c750c9187e0490082d8e1c11a6d.exe	svchost.exe
PID 1272 wrote to memory of 2448	1272	svchost.exe	csc.exe
PID 1272 wrote to memory of 2448	1272	svchost.exe	csc.exe
PID 1272 wrote to memory of 2448	1272	svchost.exe	csc.exe
PID 1272 wrote to memory of 2448	1272	svchost.exe	csc.exe
PID 2448 wrote to memory of 564	2448	csc.exe	cvtres.exe
PID 2448 wrote to memory of 564	2448	csc.exe	cvtres.exe
PID 2448 wrote to memory of 564	2448	csc.exe	cvtres.exe
PID 2448 wrote to memory of 564	2448	csc.exe	cvtres.exe
PID 1272 wrote to memory of 1864	1272	svchost.exe	svchost.exe
PID 1272 wrote to memory of 1864	1272	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jreigsrd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C01.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2C00.tmp"
3⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\pWthIloK.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe"
3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\ProgramData\141341\svchost.exe
"C:\ProgramData\141341\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9haytsnw.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\qTwtDMen.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D39.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2D38.tmp"
1⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\pWthIloK.exe"
1⤵
- Modifies WinLogon for persistence
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\qTwtDMen.exe"
1⤵
PID:2288

C:\ProgramData\141341\svchost.exe
"C:\ProgramData\141341\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1864

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\KixHWsWV.exe"
2⤵
PID:892

C:\ProgramData\141341\svchost.exe
"C:\ProgramData\141341\svchost.exe"
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gfrm-w1h.cmdline"
2⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\WLRvSBkn.exe"
1⤵
- Modifies WinLogon for persistence
PID:1524

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\WLRvSBkn.exe"
1⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\KixHWsWV.exe"
1⤵
- Modifies WinLogon for persistence
PID:2388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A63.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A62.tmp"
1⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp"
1⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hgx80py-.cmdline"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
- Modifies WinLogon for persistence
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\141341\svchost.exe
Filesize
132KB

MD5
405af099ca49d54b26fdc07ed48ac26f

SHA1
5e7eb771485cdc0010d732ea464f5505f17f8467

SHA256
408d41b0d0f30dec45d3c9a7850736ab05c24e54ffffef1bb5a6144da39d39ce

SHA512
148b8b99f543dcb06100161ee64feddf3ba8a6f0d2d1100d094aa42de2ae794c5380235a6380d67903debc1767c801eb0035e7d479fa7cd0d11792904fbad48c

Download Submit
C:\ProgramData\141341\svchost.exe
Filesize
116KB

MD5
e518f31b3d8193f04b8f0e68fa794ff4

SHA1
308d5ff0e83e0e7589ec0f5252ceb07e7c1b65e2

SHA256
285ef1d54da98aac96caf0a27032437f5eb97e8ed9d88a3b4327872c46c6a6ec

SHA512
16aa9a503b5413aac3f7d18a5e58c1516f9879458160baf2c45532f2354794bce2a505f9d0209bdd22a22dfe12e2a05131683228a0fea4e07fabe2c8fead8d1a

Download Submit
C:\ProgramData\141341\svchost.exe
Filesize
79KB

MD5
2fc31050d8a740ab8bdf17d8e35a9df4

SHA1
1f9a2d7f7e9a566593c6b28f6cc6709f4de799c1

SHA256
0b568935a499037cf2786bfd0b3ebaa931b6f18542f8fadcc977abdb2ad87b0e

SHA512
622aceb2a6494b0e60ad17127b9c2d3cc086d70462cdc715eb24ef257f9fe5f8a1df343d9422367b6b25f7e335123175c90215db4e38e93e0fdf87c6778d5c01

Download Submit
C:\ProgramData\141341\svchost.exe
Filesize
112KB

MD5
8b5c2b0ca10c046877e10eeecd7b25e2

SHA1
0b42a094589f1b2421bcdadbc65d98b7a2387932

SHA256
0a822df00504fe9ac71a32bbeff0609f22c45f2ffecc2d769b3bef826706bf65

SHA512
475982fc3fdb356c26f7c4a45f801222b8125f5004de4cd125ab27cc4b3668ede2509d296517a3a668aaa523c7fdcc222bc48d6e0e7ed311b290bdafab68edf4

Download Submit
C:\ProgramData\141341\svchost.exe
Filesize
22KB

MD5
d8938548b2f63eea64e33df13f04bb08

SHA1
b400203f412bd0e4505a48d71a3ff0e7123cbabf

SHA256
c273ea5ec8d79a334fae117369287c1e4cee518ce3c66ee8c6f5136082adc261

SHA512
43ce25e2895f81786e60fc4369c6a5ce818977a0385accbb0d2a4fc5f5b84be9c5056bb8df82531f30abc43cd38b1b72ec0fe44de6b6cc7d8851dff0d66a5e40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
35df01a4e4341431fa89316159c57218

SHA1
317b1f458570e00b7a015c7a915db482c0c4e000

SHA256
2c1ba795f344f7969f93e155f27987623db0a848823ec22bfbc375951e8fc85e

SHA512
56ee473ef5a1f50f52a22a0d9676dc59981f150357f4f12a55094ca2496ec34ef2ca42800463f469dc97c31324ff90034d65082f29a465947d96ead6e3157895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
14b7b370f6310e4f8c764d7705f06209

SHA1
39a90f0aae3ba779b0f396c228d9461a0187b2d5

SHA256
5a574223d55b4c9850255aebf33cc24bdf341be7b1e34e61fea4ba5dafbf6a84

SHA512
5a9f9f01f7425eb1c534aaa73de633cf700abed89be68c9e90a602c3954c7fba1ac791f8346e3944bdea4bedefcc3067f79963727eeef604f900dacd6a3e2e3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
60bded756e5bd6b254180ed6a8bd8bed

SHA1
122e0ec220d4582b20b2676b091d3df670de4564

SHA256
f5d22441f22ab240e8e7ed075d8ef02fd0c0d893d44a524580cd8c4960829355

SHA512
67e51e856618fa4848228e6b866ea011acdda422e3811a3724b01be158751aacff7e61c10989a2f35d06b7ae603305d59db3eca5fba5db6da4f18c180adbd7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9haytsnw.dll
Filesize
206KB

MD5
a9bcbada7ef044d6b1b8e13ea9404168

SHA1
63cd8297f3e49937be8cca88f04d94fd066457a3

SHA256
aead55553b7b562b6f3b228974f1b3e1b6987dbf40ae54f2c9dcf2f4516f9106

SHA512
8f9b724e524862dd95a72c7cc6d9a58c9eb4afd198edaf70645e3aac5b6304aa3ac1df2bce6e20f67bacb12c73f8550f641ba8efa620f5f1fbf89f3738e88c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2B76.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C01.tmp
Filesize
1KB

MD5
40d4777765d9612a040bdf7884063214

SHA1
8900d83e239eb69ee9154855e2d8390499ca499e

SHA256
676df8137d56b8a0048f200ce464a76fb2bd06c17007cb0f6b53c8184f6618a5

SHA512
886de1410f93d73310caa0a93a226591ce009de5cd0dcbb6ed44102331bfb4be136573f134a79dbf4bc8e7d39bcd3bd335f9a87a41082344cabdc272374d9cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D39.tmp
Filesize
1KB

MD5
5dd6312042b34dc40349dfd1d558e271

SHA1
e2681e8c72fb524510e4ffe0357c144a0c4f8098

SHA256
8f3446c6021d7cebd101f69e10ede3591f30c676c67356c7f579cee36f2b8329

SHA512
d46058aaa9560c7d409ab4385c5139193636350e81c34d91349c5a26cca0aec3d72f3ed5b14d44084b54323854609ac09683c7783253581208d0f1e4602a036c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp
Filesize
1KB

MD5
13726763e7ab6ecc88ce8f3ceedacbda

SHA1
138f300652bbcc88e5731d9bc70d49368a28003c

SHA256
d50949ec0d184a0171602f24eeacc22642f2dc1a407eff8d34929c7f0a51d294

SHA512
219faa06bb729041fc9dd3401cd49576aa7769609fe36fe4c8ac70ab550d367da74b3ffcaf07caf59d0937b31ba8b80260d5aa292e6d1df34f01e665c675d2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A63.tmp
Filesize
1KB

MD5
695b931fcce886a833a2cc4b744a7e17

SHA1
c9b8e95951d54cc7203584ecafdbecc7a68ae763

SHA256
1b5cdef220e4c4d3ab972d2c58bc2ba610a10677cca6531c9502634deae5621f

SHA512
ee9fb7902b28109cf2a9981deae1046b15a7f24b3259f046dbc324c007705c6c576d2aeb2422f5c53bc271e533220fc791a5437e96e897465fd89c5e7a30623d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C7E.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfrm-w1h.dll
Filesize
16KB

MD5
31607253f46599568eb9f2ebdbf3ba53

SHA1
6f59422c4254cc2503e0ee7ff007f1f36ccc2a2d

SHA256
ee87c810d1ee6a84aa6d1f81f166cd644360c2f4087b1c33671dc8381bf93a5b

SHA512
70a1f6a036d5eb1d40a0f183996b3e9140ca0a4fec46061c631b8d74767f487ad04560f14b204ecb730dd1ad6dc7603dcbd968a3a11129d87011c76ad05419c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgx80py-.dll
Filesize
104KB

MD5
e8d778fdadbb814ed12b61eb5323e58c

SHA1
cbcbd3d032e416c11214ebebfe60278cf47419b3

SHA256
337ce41a8e48f8a4c27ae10b403064ef0550329ca673f4f69dd53b0a2472b248

SHA512
68208f25d4d3c7c8ad19c1a44f2c8d240691df42d9c8caca506e640254fd822534a2b7bdfbad71bc3c27a64b6f0015a0b5edb034fb01a66f14e302c56940ebad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jreigsrd.dll
Filesize
177KB

MD5
d1ec9a6df1d78a1325bb3ebbdc8bb1cb

SHA1
751e55c1570deb66aff9bca4a91526737c67e69e

SHA256
cf5efbeb0b27b4108498372047ba66414226c1c9ae40239d84f069c9a794fd7d

SHA512
5328188b41d2a1f0e5f76926d15dd6cc6fa5a7e45d84b7c96a1d708112d7eab989cd7f1154be913b9421286ddc2a99fc717a9e330b13168ad97bae78c899df16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9haytsnw.cmdline
Filesize
196B

MD5
2f65a1ddfdfcbf499f56635b420ba010

SHA1
fa80c924de57c424b660c08f1ec07d2762faa631

SHA256
9ecfeb5a4fca75228e518aee5351cc44641b02a41d85b03d6340f11030b77115

SHA512
f3d0bac3cb79f43c914748bf18305394d879341b4145e8878e373b6bdb3b52cf6c2d4238f8e49441424decb1987c641a7a6183a8e93439ac4fb39fafa2556211

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2C00.tmp
Filesize
652B

MD5
66e4d7643eac7b08fdc090dac6f8547d

SHA1
b99cf2b5be293d81e1cf9e156753e1a2f1d47f44

SHA256
01da5b84033ed4f97dc1e0e5b626c039593464de9603f21b2de473871dff2b13

SHA512
79a9bbe5122fe65f3f9d4898c5157dd65219f8ddeada6b0e0207d289b31c4ad7f30da001c5e86e19685e8b43f58ce90a6d3ed7d6f4be35bd67eb07f307c056dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2D38.tmp
Filesize
652B

MD5
8aecd1b9eb153d80b9d6feeb4c71878b

SHA1
0a3225ac8c5f096cc0f7169730087144d6755c2f

SHA256
1a0148621292157ff689e9bf980ab5add3ae6cf1ccc4eee1476fcaf47d779581

SHA512
4357807e219e479894367cb7d3ebb1662ac25de7643d095d7deb8ed51c5adf8bbdedfd7a303c127b4fb8864b24ceb9f8e3f468fe210faf5506cb153b2eb56a89

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp
Filesize
652B

MD5
e82be34865eb3a4fe92600495c9f79f0

SHA1
36549da6309ca751b8caa787a53d8d004f708189

SHA256
0803fafebb90db5184c8f14a298f3f86c5c1ff628bad3df0fb2a49bcd4c615c2

SHA512
e39069af824cb22c5f7c22346ef5dbbc48f647f591f9443ed6f94e1e12fc3de5865b7045e666a3ef1194ca228239b9db27249dcaf1508a9f60600920d0003bff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A62.tmp
Filesize
652B

MD5
fa91a9ba85048594fec9cd7c78c4c80d

SHA1
4e81b05ea5ee2e84d50b93f0ebc3cd561ecb1fe8

SHA256
fa2cbe0a1da25da4391d8e977563153db2f529d3d33cdb02c18dc6c0952b89cf

SHA512
c9687eb4b58a41cf92b5c08947f64febe2fbd25294b66043147beb151f0e81d393820cf47436fc57a3d8bd39533a4dccb2fc90a770a00f3b53ee2c46d21e260a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gfrm-w1h.cmdline
Filesize
196B

MD5
297cd870bfa9cb5695f2e484dc87f359

SHA1
72013e71f1a2430ccd953ecad5a1cbd9a5b83baf

SHA256
d29a14d398375ab12a3e6bced65bcdb230f999b02ed069e90e7dac5838a2b4c5

SHA512
0358748f0f73666dde3e3375faed20d34429979ed5ad6b6d02c2f79251650522ded0961a84e49a7a47e8e59744486875b6b761b1c8480a25219699c3db56c0f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hgx80py-.cmdline
Filesize
196B

MD5
823b834dfcdbdec5a346ec15c7b37e6d

SHA1
96dbc7db4519457c69a24f307160d4bf2243faee

SHA256
cdc958f2266550389e8e4de87e4db78cefeca4498946266de557fdc86b595aa6

SHA512
60874d949d18c4da5712cd769ff12d85deea3567a7769e8ea8b9ee2c02c240ee997a5eaa02d915e23ce9b1ac9f5e7c6077f8e73b0b86a9c446bb26beae9cf426

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jreigsrd.cmdline
Filesize
196B

MD5
6a71f4a038f4d6e5085f491b80676a93

SHA1
48e5d0ca92df14eca3dc73013c4a941e496f3b2b

SHA256
3906f5a36b06606ae54bb6f6008bb2494657c066d6f96d92b2483c0c79fef9c0

SHA512
72e72b8916a672bcf74b0a832d3fb59561f13c1490b8a7c60d07519157b558187c0bdc86e573e0ffe82af01e878f31e5f9406f5b2590dcbf27bc940f2850b0d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp2B97.tmp.txt
Filesize
202KB

MD5
5125d2df6f1c2d4c3c8e01ca8738824e

SHA1
e4296f89e49cc053cdb657d1563eb752e42cb482

SHA256
9ceb7af5c372e3a462e9e1b96ca60497a121f6960c2254c670a4ef100766c54f

SHA512
3b1bad5b35027184e1416b68617f332ff5983b577b83af72ac2dd398c9f1d67441063543e1444bde46373bd5a662319335d5bf38bac41d198336467bc8608ee6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp2D0D.tmp.txt
Filesize
151KB

MD5
cc14637fbab3051880a8e7f53b7a4d9d

SHA1
0c449814159bb840b377702b5559951f39d5e011

SHA256
635a37f6c7c519c705ab73621094828940c969ebbcf02598d406207e9b735c40

SHA512
dcafca81024339e0f38756abb2b42378f501caf9ae5f0cdc2ee2debe9e42321f4853adfa3411dfba7118db57adf3bdac732c2f50cbe5188b7e680804ddc53ee4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp38C0.tmp.txt
Filesize
48KB

MD5
99bab5d8aed3da746d5f399793b495e4

SHA1
3a27382ee6aa26ace778d36c8832de67e0732895

SHA256
77906ff64b223d9e370e0eadfbd1d3f1ffd2c382f7007a9c9fa3efd9f509e3d2

SHA512
b1d703c727d85501c996a1073f441b440e3d79bdabfcd30316bb211f02df909ea274bffde1b5a16d75abd9a43b35dedd5efa241a93677cc90db04c63637352b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp3A27.tmp.txt
Filesize
26KB

MD5
a7e0ff4614b3bd3265ed244f289ce90c

SHA1
df5cb4ef3fef7b61ae9b04ea18aee62ed7e6e6ea

SHA256
acb1b90480319613bd4948b9d7fa1e7b61bdac2348774f97b962e2db67c031ed

SHA512
1abd1219b3705812c2d2a90f4a36d5ed8f14f7ff8437f83387f1dfcb1afa3520ffb0f74f9b7e460c8583a968d8ebc3af8abb0b48d6caa9d02badb2935fef8bc8

Download Submit
\ProgramData\141341\svchost.exe
Filesize
66KB

MD5
e7803a9740ba32a580c342818c617536

SHA1
126aface3658ce6b9c21175fb089ef833c475cc4

SHA256
eb77d907a77dd2e097af2ca8e3835a95cba6436e8a2febdeb2878900c50f4104

SHA512
d5a4f69812eec8d5bece814dd13b58a86c6402937136db03dc6a552e6e35f7c1246db955d042fc13845fcc77815206e72376e94a5317661abd948b12e0fec7da

Download Submit
memory/948-194-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/1272-124-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1272-177-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1272-123-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1864-176-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1864-159-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1864-178-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/1864-221-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-106-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/1964-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-223-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/1964-222-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-107-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-102-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1964-83-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-85-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-74-0x0000000001F50000-0x0000000001F90000-memory.dmp

Filesize
256KB

Download
memory/2476-0-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-58-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-2-0x0000000000A80000-0x0000000000AC0000-memory.dmp

Filesize
256KB

Download
memory/2588-105-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2588-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2588-56-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2588-49-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2588-57-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/2588-45-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2588-34-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2588-33-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2588-44-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2588-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-39-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2588-37-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download