Overview

overview

7

Static

static

3

q9cee706b7...b3.exe

windows7-x64

7

q9cee706b7...b3.exe

windows10-1703-x64

7

q9cee706b7...b3.exe

windows10-2004-x64

7

q9cee706b7...b3.exe

windows11-21h2-x64

7

Resubmissions

10/04/2024, 02:53

240410-ddcrcsff3z 7

10/04/2024, 02:53

240410-ddb5tscc79 7

10/04/2024, 02:53

240410-ddbt3aff3w 7

10/04/2024, 02:53

240410-ddbjasff3v 7

14/10/2023, 10:48

231014-mwhvrsce7y 7

Analysis

  • max time kernel
    1793s
  • max time network
    1797s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/04/2024, 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    q9cee706b7cbe32e33ace42b3.exe

  • Size

    285KB

  • MD5

    ecabf4d6692cd5ec991817f3b4a3170a

  • SHA1

    7aa0c00f7d624ea1fc99496f28ba7787fd38e680

  • SHA256

    756478606cced2d82be4625672faf105fdc9ab901757740a619b70b0bf102331

  • SHA512

    23e213b010f3073d14ec918d80b3e519a3d59133b1d3798f4567337e6c689d500bb2ea10fb394de03d2e57b8a377402132f77466dd33410136241d8d1ded92ca

  • SSDEEP

    3072:ix9JdT0pDj9yVfAK97GCkCYv+dRO7ZrLciXpDG/CdVWh6nt0lhLMgE/wV2p7vvSo:lSAY7GxZ8/ZQgEwV/ydcuCDY9bbzR38

Score
7/10
collectiondiscoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 62 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\q9cee706b7cbe32e33ace42b3.exe
    "C:\Users\Admin\AppData\Local\Temp\q9cee706b7cbe32e33ace42b3.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "q9cee706b7cbe32e33ace42b3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\q9cee706b7cbe32e33ace42b3.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2320
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:4992
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "q9cee706b7cbe32e33ace42b3" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:332
        • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
          "C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2040
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp4C1C.tmp" -C "C:\Users\Admin\AppData\Local\uq3099dqiz"
            4⤵
              PID:2400
            • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
              "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:4292
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3156
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:668
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2400
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2592
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3864
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:332
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2336
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3744
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4832
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4864
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:332
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1640
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3132
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:5108
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2364
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3312
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2464
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:936
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3992
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3600
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1584
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4400
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2692
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:772
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:236
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2468
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1872
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3312
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2252
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4064
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1536
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:328
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1908
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3728
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4528
      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4608
        • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
          "C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3280

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\q9cee706b7cbe32e33ace42b3.exe.log
        Filesize

        847B

        MD5

        486ebddc86ea8b3e965d390d22283a23

        SHA1

        eaffc047f067084867e8575c576a9ec60e094ba8

        SHA256

        50a57273ecb794e53b0622eb841341e2643c11f53fa47356e6e754ab2268171d

        SHA512

        0a50ba02250b38355a6f4fb94e40c61258a74031d9aea7cdf675f3e068f39ec0748ecf292aaf2f94b1963b9d66516ee79aa6c552617048e248774af0ff07189d

        Download Submit

      • C:\Users\Admin\AppData\Local\Nvidia\q9cee706b7cbe32e33ace42b3.exe
        Filesize

        285KB

        MD5

        ecabf4d6692cd5ec991817f3b4a3170a

        SHA1

        7aa0c00f7d624ea1fc99496f28ba7787fd38e680

        SHA256

        756478606cced2d82be4625672faf105fdc9ab901757740a619b70b0bf102331

        SHA512

        23e213b010f3073d14ec918d80b3e519a3d59133b1d3798f4567337e6c689d500bb2ea10fb394de03d2e57b8a377402132f77466dd33410136241d8d1ded92ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp4C1C.tmp
        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

        Download Submit

      • C:\Users\Admin\AppData\Local\uq3099dqiz\data\cached-microdesc-consensus
        Filesize

        2.7MB

        MD5

        a0db8a87f7b723266c8b04255da46b06

        SHA1

        4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

        SHA256

        60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

        SHA512

        41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

        Download Submit

      • C:\Users\Admin\AppData\Local\uq3099dqiz\data\cached-microdescs.new
        Filesize

        8.0MB

        MD5

        c35b1397ab404ad1935a283fb61df561

        SHA1

        6e5b6d48f43db678f21c35edddefb2e9db90cb0b

        SHA256

        ead590e992313e61cd8ff23f573e5c55c85d783d40e967d244250cf7097b33fa

        SHA512

        eab7b478024f4fc670ffcd574f6d2e7ad5493c5eb52513b53980cad58f9fb3b2b35b7b4a0e300a115e315e351770aa216a556eaef534fffde2ff5be483556efc

        Download Submit

      • C:\Users\Admin\AppData\Local\uq3099dqiz\host\hostname
        Filesize

        64B

        MD5

        1d9f147502df15a125ba8e720ceb2500

        SHA1

        2e688622cd9680ac42026b14b5bb284ca45c19c1

        SHA256

        c1f2e5d4f5874c915f493b40f5d17f7067a2155a0d1d75cb6af61c664a909dc4

        SHA512

        6a16f9c81af4eabcd81069b8c0a3f51b6437706508178293eb2b8288aefbbc46194f127211bf0485345b96133c459009337d79584735ac43964ec080d9bf42a2

        Download Submit

      • C:\Users\Admin\AppData\Local\uq3099dqiz\port.dat
        Filesize

        4B

        MD5

        665d5cbb82b5785d9f344c46417c6c36

        SHA1

        4c449511d1b4ed24c5fcbd19f94651a4e719ba4d

        SHA256

        c09a11d9c224480e982f9a9b1fe6a422d685e68d0375d4c56eaec674052015fe

        SHA512

        1524890e2e66fa774ce35bfc6960e657476de41e091d88404b5301340ec5bd2cc9fa9ddec15ebeba8382adef291ae8c38986585067016004b0be65d6dd2c7159

        Download Submit

      • C:\Users\Admin\AppData\Local\uq3099dqiz\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\uq3099dqiz\torrc.txt
        Filesize

        218B

        MD5

        8e5f497c2400583a54c820e1a86115ec

        SHA1

        fe8bff6ae5e92a6101bf8d1fb3abe3657f649b8d

        SHA256

        1c692738e40719084385086a48359ac126a3ed4410abdc087f5d72cda5a88682

        SHA512

        aa2c79734a1706541f2bb0f21427bd86bbc7869ae0bd5794377695e0320fb629e9e15313ebaa24e3e317e3f125fe134cf7979b495f112c9533b2b17a92aa349d

        Download Submit

      • memory/236-315-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/236-316-0x000002B24FE60000-0x000002B24FE70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/236-318-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/332-131-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/332-129-0x000001F7FB560000-0x000001F7FB570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/332-128-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/408-270-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/408-272-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/808-163-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/808-164-0x000001F6BDA10000-0x000001F6BDA20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/808-166-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1036-232-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1036-230-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1148-84-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1148-85-0x000001C0D81F0000-0x000001C0D8200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1148-87-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1152-279-0x000001CD60660000-0x000001CD60670000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1152-281-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1152-278-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1608-303-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1608-305-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1612-210-0x000001E051030000-0x000001E051040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1612-209-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1612-212-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1728-109-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1728-107-0x00000229C7710000-0x00000229C7720000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-106-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1976-178-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1976-176-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-220-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2000-218-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2040-57-0x00000129D2240000-0x00000129D2250000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2040-12-0x00000129D2240000-0x00000129D2250000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2040-11-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2040-54-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3132-201-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3132-203-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3524-184-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3524-94-0x0000027FEE830000-0x0000027FEE840000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3524-185-0x000001ABFCC40000-0x000001ABFCC50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3524-187-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3524-96-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3524-93-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3992-256-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3992-254-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4404-116-0x0000014183AC0000-0x0000014183AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4404-115-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4404-118-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4608-0-0x0000027A0F040000-0x0000027A0F08E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4608-6-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4608-4-0x0000027A0F540000-0x0000027A0F550000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4608-1-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4644-56-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4644-60-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4760-248-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4760-246-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5004-153-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5004-151-0x000001DF32830000-0x000001DF32840000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5004-150-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5012-144-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5012-142-0x0000024A28A10000-0x0000024A28A20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5012-141-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5020-291-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5020-293-0x00007FFD649A0000-0x00007FFD65462000-memory.dmp

        Filesize

        10.8MB

        Download