cryptbot | 272501aa281816ae02b8b7ceb2ed9a8b98eb61a4f89a44d7d3f10d372ec25027

Analysis

max time kernel
600s
max time network
533s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a389e28415f923aeba3d6a0db83a098e.exe
Size

4.2MB
MD5

894f8165e6092fae4e34107475aee96d
SHA1

2aca9e58fe5dcc7fcd5bb9fcacd65c5f572c014a
SHA256

4e92d1047bd80cc6ae21344c207a09c4de026cb7d8249a9ce4a8be190b003cdb
SHA512

b5d9fa1cc79cd09a5d6cfff8f01144e261eb58169e8c97c56fff120dbe6154b53d578d78d1d6e958b873715e07737bc8018559a1dd5e33ec3322686888643734
SSDEEP

98304:yNlkiDfEWZksmiYs64VOccf1notv27bth:yN6iDT6smiFFOxnYvWz

Score

10^/10

cryptbot nullmixer privateloader aspackv2 dropper execution loader persistence spyware stealer

Malware Config

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

nullmixer

http://hsiens.xyz/

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/484-178-0x0000000004CB0000-0x0000000004D53000-memory.dmp	family_cryptbot
behavioral1/memory/484-179-0x0000000004CB0000-0x0000000004D53000-memory.dmp	family_cryptbot
behavioral1/memory/484-180-0x0000000004CB0000-0x0000000004D53000-memory.dmp	family_cryptbot

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 5036 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2648 powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	5036	rundll32.exe

pid	process
2648	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\libcurlpp.dll	aspack_v212_v242

Executes dropped EXE 14 IoCs

Processes:

setup_installer.exesetup_install.exeFri1729cd7988553c85.exeFri172ae9814895.exeFri1720d1aafb31606.exeFri17dba383b62780.exeFri17f4e48359be02.exeFri175169b9fbe.exeFri17a8188770a9.exeFri179d661f1f6a.exeFri176f955aa5511fdba.exeFri1729cd7988553c85.exePiu.exe.comPiu.exe.com

pid	process
4032	setup_installer.exe
3156	setup_install.exe
5024	Fri1729cd7988553c85.exe
5012	Fri172ae9814895.exe
4540	Fri1720d1aafb31606.exe
1220	Fri17dba383b62780.exe
4192	Fri17f4e48359be02.exe
4480	Fri175169b9fbe.exe
2760	Fri17a8188770a9.exe
5020	Fri179d661f1f6a.exe
4436	Fri176f955aa5511fdba.exe
4776	Fri1729cd7988553c85.exe
4936	Piu.exe.com
484	Piu.exe.com

Loads dropped DLL 7 IoCs

Processes:

setup_install.exe

pid	process
3156	setup_install.exe
3156	setup_install.exe
3156	setup_install.exe
3156	setup_install.exe
3156	setup_install.exe
3156	setup_install.exe
3156	setup_install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Fri175169b9fbe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Fri175169b9fbe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 iplogger.org
6 iplogger.org

flow	ioc
4	iplogger.org
6	iplogger.org

Drops file in System32 directory 12 IoCs

Processes:

OfficeClickToRun.exeWMIADAP.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE

Drops file in Windows directory 4 IoCs

Processes:

WMIADAP.EXE

description	ioc	process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1572	4436	WerFault.exe	Fri176f955aa5511fdba.exe
1516	1220	WerFault.exe	Fri17dba383b62780.exe
4092	5012	WerFault.exe	Fri172ae9814895.exe
456	3156	WerFault.exe	setup_install.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeClickToRun.exePiu.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Piu.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Piu.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeClickToRun.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

OfficeClickToRun.exedwm.exeLogonUI.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={885A7A87-AB63-4A76-A8D1-34BE6C1ED385}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUbVtUa9wjWgmEIwjX9d7dccnghw8OZgAAEPty1SijH6nxea9VhCN1wNXgAADL0hgZNQQTtjTuN5R0TcLzdN7TkMTyD6ykMu+XV5SEnkmbA9Fej84yqGKp5CLZ5fmxbFi3iG2VV2BqJ3C3auSFX8dWiuBHR2VAaKEtt/YiXv8p1SKqWBl5kjHZ7F6634/sHA/CY1dOgZEXJetJDwwocoiMwQr6mfd5rEwG6sePtlnRWrRFgO2JRaRWJQenJhHLENzo66IR6cJU1R1fPVo/ZPh3pBNftf+Huu83h8foh+bDKD0k87TWRBocYpdQVdkpNibGjTH9fBEr0mcHUwJiY3+rBqkcgHdsLyq9owqEHwE=&p="	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018400E3FDBD5AA = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000047f25e846fc74f4987362aa84a1cc57000000000020000000000106600000001000020000000ae55335108bd816b17c79dca6a7da934bbed5bbb9eea23e7dd174f526aeb5ad0000000000e800000000200002000000083ab840dafe934efb14a1c99e1a24295413ff4b5e4357341747cf455256e1e308000000099214e09ce69b4a71ec1699b13a326e31126c492aad9f7e12054a1f77dde0370a7b4390a08675b85d14ccd6e1cbf0f60059a38c3021e0079628ecb13d3f5286fad0d68e7ebf7a37e58b6abdfde04c1098dd629bc5330faa199d8b257528e366683e93ea01245c76b1306092ee3722c1a19ac1b467163e0be95337dcfae00b80f40000000e4d59898e81f3533c4670f0cb2ca9de70219fa6ead97babb2c1e0bc2830a60b641b19dbeb3dd45feec2665f26ceafc78e466e2c5798ae1706752df6ac6e26807	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018400E3FDBD5AA"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000047f25e846fc74f4987362aa84a1cc570000000000200000000001066000000010000200000003ba5f8a735c5ff8379d0e0fd646ec66a34d2344c776f788c5b626a6446fab812000000000e800000000200002000000020045e3ba88854d3ff1ecc76082e3dbf1d230de887ad8f777e3edeab51393679f0030000f2079ffe20f1e1540284895f294b7784ce193e54d2084c2cd4045a4685a5f61b88ecacaa910b08ac4d60f0a6407996207429c043084c6090244a0746856ffb63b510e714ba76890ec2e0e6dfd9c4489348a2841713c6d2bd2d14180cfead98f5c26a390dc142d4815bb54b26c561f592fee71730781fb3ee985b8f1801519974efaf4a4aa822db32e24cbbf76ddabe52cfb4b6492b41d4279895a873e8f29cd5cd18c348a80d5db83d0a34977307d0d6001e510c3bf32e548a48c2602686c346260c72a1ed79436a71389aa354a704a3e72bd7193c6ce8b6ed3bda8342b7966a5692959a9fedf3f1649955975a005fbed9c5236cdebf113cc50579109c89f5d4d335c223690313d8bed442b9773bc5c8cc76db41fbc5a198b3b1a59f4f07ea68b69d7aa3656c7a0c4c9789e4ded8db05230d9359d94cdcd0022e705e4d7907dc985504e3a12eb346fdce6c5c1a2e38d4f99727f9c1749147f723d48c662d467b7feb3c59159251ba4bb88e33e7529a0e459148922c16a2850dba0fb96d449be75dd4fb0e4489afedee62c085312309b55d6a77cb2c534334a1d5af632c0075a4d8e50e316dddc52ff3b3046b257bcdd3a2bb0ee53beda6df99039921eba803cd866ee30b2bbb5fa67d8d5e0837c6715ff5728a2c935364ca63d3d63de64a9c5e1b2ec8ea6d60e87852bc67be2cf8b21cdafc78a56cf39f6db0a394152e9a853ecb1279993493718c466bdf4471932ecf7973ff0db9526e6a0cad74aadac57235083bdf145bbf4919122966975da95637c4f08b8f846819a07365c1a8826683dcf0c8ad71a06e8922a64df8a2bac77a4e8da55b20d38251e2a93e2f2264ccc5d59e7150e67164ad066fc77a2f08a8e0a23378c2f28c5cc35e0f9bb0fc941e26391ea217258a14ea915db6bc0a7e9fe1afd64076f17564eefdd6fd6cb351af7aed5dd11c32bc8a39f073f555a30f1f06557bd38ab4e16de0344918645402fcd98ce9f62b8f368d6d1a3a7f61d50e35f0adaf17787780b91270ae089021c6047035ee608ffa6670db92189593cb05bc5a1ef1b07d370ddf2bc2f422dfa2b51656c95db1441fe6a9d5dbe85e1c6923817342b4bb1d10e011058b99c9e720cb96e0ce78aa87e3af7d2c2b58151870617308e34b6bf2188c1d060a743ca665fca05cc11de7ae511548fb1ba2c018d4cf540fa9ab7e578db6a2dc8597dc33aced1cc2c40dc578a7cf95d320f744a2e3686b3dd9b4044de7ce24034eb25be3350990a17f051cebadcdeb85e9f0e1578aaa6b5fa517d0b542711a1f3abf7e0d8f1fcbc307ab7acd5326205a3de57ac955efb8f11ab02d06f58a050ad384d5e965300975ed80d9cd91e81ec48b0d4202af684ef89fc4929c05386677c5fbeee7f23d0b82cd852e2b6e490de7d91fe932b55272184c40000000cc0406473d411a79dd80e0df5a573a176ab503ad4b13fad7223e81f401c8545602c0d242041f2ac73dc887fe951d59ed85d226e645108dd5ae133e541fba562d	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716052051"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1528 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2648 powershell.exe
2648 powershell.exe
2648 powershell.exe

pid	process
1528	PING.EXE

pid	process
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
1068
2764
3736
4148
852
680
3112
4376
4984
4476
3064
5116
1920
1096
1924
2952
1944
2964
3592
3908
4512
3228
3472
3996
1420
4044
4000
3824
5108
1440
1904
1040
2392
4880
4408
3160
2300
1248
4444
2888
4100
2732
736
700
4904
5112
3452
744
2140
5064
4964
1624
884
4864
3796
3752
4112
3688
5072
2376
2724
4380
2868
3216

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

Fri179d661f1f6a.exeFri1720d1aafb31606.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	5020	Fri179d661f1f6a.exe
Token: SeDebugPrivilege	4540	Fri1720d1aafb31606.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeCreateGlobalPrivilege	4412	dwm.exe
Token: SeChangeNotifyPrivilege	4412	dwm.exe
Token: 33	4412	dwm.exe
Token: SeIncBasePriorityPrivilege	4412	dwm.exe
Token: SeCreateGlobalPrivilege	2492	dwm.exe
Token: SeChangeNotifyPrivilege	2492	dwm.exe
Token: 33	2492	dwm.exe
Token: SeIncBasePriorityPrivilege	2492	dwm.exe
Token: SeCreateGlobalPrivilege	2864	dwm.exe
Token: SeChangeNotifyPrivilege	2864	dwm.exe
Token: 33	2864	dwm.exe
Token: SeIncBasePriorityPrivilege	2864	dwm.exe
Token: SeCreateGlobalPrivilege	3816	dwm.exe
Token: SeChangeNotifyPrivilege	3816	dwm.exe
Token: 33	3816	dwm.exe
Token: SeIncBasePriorityPrivilege	3816	dwm.exe
Token: SeCreateGlobalPrivilege	560	dwm.exe
Token: SeChangeNotifyPrivilege	560	dwm.exe
Token: 33	560	dwm.exe
Token: SeIncBasePriorityPrivilege	560	dwm.exe
Token: SeCreateGlobalPrivilege	3136	dwm.exe
Token: SeChangeNotifyPrivilege	3136	dwm.exe
Token: 33	3136	dwm.exe
Token: SeIncBasePriorityPrivilege	3136	dwm.exe
Token: SeCreateGlobalPrivilege	1732	dwm.exe
Token: SeChangeNotifyPrivilege	1732	dwm.exe
Token: 33	1732	dwm.exe
Token: SeIncBasePriorityPrivilege	1732	dwm.exe
Token: SeCreateGlobalPrivilege	3744	dwm.exe
Token: SeChangeNotifyPrivilege	3744	dwm.exe
Token: 33	3744	dwm.exe
Token: SeIncBasePriorityPrivilege	3744	dwm.exe
Token: 33	4692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4692	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Piu.exe.comPiu.exe.com

pid process

4936 Piu.exe.com
4936 Piu.exe.com
4936 Piu.exe.com
484 Piu.exe.com
484 Piu.exe.com
484 Piu.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Piu.exe.comPiu.exe.com

pid process

4936 Piu.exe.com
4936 Piu.exe.com
4936 Piu.exe.com
484 Piu.exe.com
484 Piu.exe.com
484 Piu.exe.com
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OfficeClickToRun.exeLogonUI.exe

pid process

2328 OfficeClickToRun.exe
1196 LogonUI.exe

pid	process
4936	Piu.exe.com
4936	Piu.exe.com
4936	Piu.exe.com
484	Piu.exe.com
484	Piu.exe.com
484	Piu.exe.com

pid	process
4936	Piu.exe.com
4936	Piu.exe.com
4936	Piu.exe.com
484	Piu.exe.com
484	Piu.exe.com
484	Piu.exe.com

pid	process
2328	OfficeClickToRun.exe
1196	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a389e28415f923aeba3d6a0db83a098e.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeFri175169b9fbe.exe

description	pid	process	target process
PID 568 wrote to memory of 4032	568	a389e28415f923aeba3d6a0db83a098e.exe	setup_installer.exe
PID 568 wrote to memory of 4032	568	a389e28415f923aeba3d6a0db83a098e.exe	setup_installer.exe
PID 568 wrote to memory of 4032	568	a389e28415f923aeba3d6a0db83a098e.exe	setup_installer.exe
PID 4032 wrote to memory of 3156	4032	setup_installer.exe	setup_install.exe
PID 4032 wrote to memory of 3156	4032	setup_installer.exe	setup_install.exe
PID 4032 wrote to memory of 3156	4032	setup_installer.exe	setup_install.exe
PID 3156 wrote to memory of 3164	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3164	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3164	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4860	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4860	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4860	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 1768	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 1768	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 1768	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3704	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3704	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3704	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4528	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4528	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4528	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3892	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3892	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3892	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 2656	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 2656	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 2656	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3664	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3664	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3664	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3212	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3212	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 3212	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4816	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4816	3156	setup_install.exe	cmd.exe
PID 3156 wrote to memory of 4816	3156	setup_install.exe	cmd.exe
PID 4860 wrote to memory of 5024	4860	cmd.exe	Fri1729cd7988553c85.exe
PID 4860 wrote to memory of 5024	4860	cmd.exe	Fri1729cd7988553c85.exe
PID 4860 wrote to memory of 5024	4860	cmd.exe	Fri1729cd7988553c85.exe
PID 1768 wrote to memory of 5012	1768	cmd.exe	Fri172ae9814895.exe
PID 1768 wrote to memory of 5012	1768	cmd.exe	Fri172ae9814895.exe
PID 1768 wrote to memory of 5012	1768	cmd.exe	Fri172ae9814895.exe
PID 3164 wrote to memory of 2648	3164	cmd.exe	powershell.exe
PID 3164 wrote to memory of 2648	3164	cmd.exe	powershell.exe
PID 3164 wrote to memory of 2648	3164	cmd.exe	powershell.exe
PID 4528 wrote to memory of 4436	4528	cmd.exe	Fri176f955aa5511fdba.exe
PID 4528 wrote to memory of 4436	4528	cmd.exe	Fri176f955aa5511fdba.exe
PID 4528 wrote to memory of 4436	4528	cmd.exe	Fri176f955aa5511fdba.exe
PID 3704 wrote to memory of 2760	3704	cmd.exe	Fri17a8188770a9.exe
PID 3704 wrote to memory of 2760	3704	cmd.exe	Fri17a8188770a9.exe
PID 3664 wrote to memory of 4540	3664	cmd.exe	Fri1720d1aafb31606.exe
PID 3664 wrote to memory of 4540	3664	cmd.exe	Fri1720d1aafb31606.exe
PID 3892 wrote to memory of 1220	3892	cmd.exe	Fri17dba383b62780.exe
PID 3892 wrote to memory of 1220	3892	cmd.exe	Fri17dba383b62780.exe
PID 3892 wrote to memory of 1220	3892	cmd.exe	Fri17dba383b62780.exe
PID 2656 wrote to memory of 4192	2656	cmd.exe	Fri17f4e48359be02.exe
PID 2656 wrote to memory of 4192	2656	cmd.exe	Fri17f4e48359be02.exe
PID 2656 wrote to memory of 4192	2656	cmd.exe	Fri17f4e48359be02.exe
PID 3212 wrote to memory of 4480	3212	cmd.exe	Fri175169b9fbe.exe
PID 3212 wrote to memory of 4480	3212	cmd.exe	Fri175169b9fbe.exe
PID 3212 wrote to memory of 4480	3212	cmd.exe	Fri175169b9fbe.exe
PID 4816 wrote to memory of 5020	4816	cmd.exe	Fri179d661f1f6a.exe
PID 4816 wrote to memory of 5020	4816	cmd.exe	Fri179d661f1f6a.exe
PID 4480 wrote to memory of 3996	4480	Fri175169b9fbe.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\a389e28415f923aeba3d6a0db83a098e.exe
"C:\Users\Admin\AppData\Local\Temp\a389e28415f923aeba3d6a0db83a098e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1729cd7988553c85.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri1729cd7988553c85.exe
        
        Fri1729cd7988553c85.exe
        5⤵
        Executes dropped EXE
        
        PID:5024
      - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri1729cd7988553c85.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri1729cd7988553c85.exe" -a
        6⤵
        Executes dropped EXE
        
        PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri172ae9814895.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri172ae9814895.exe
        
        Fri172ae9814895.exe
        5⤵
        Executes dropped EXE
        
        PID:5012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 280
        6⤵
        Program crash
        
        PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri17a8188770a9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri17a8188770a9.exe
        
        Fri17a8188770a9.exe
        5⤵
        Executes dropped EXE
        
        PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri176f955aa5511fdba.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri176f955aa5511fdba.exe
        
        Fri176f955aa5511fdba.exe
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 284
        6⤵
        Program crash
        
        PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri17dba383b62780.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri17dba383b62780.exe
        
        Fri17dba383b62780.exe
        5⤵
        Executes dropped EXE
        
        PID:1220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 292
        6⤵
        Program crash
        
        PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri17f4e48359be02.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri17f4e48359be02.exe
        
        Fri17f4e48359be02.exe
        5⤵
        Executes dropped EXE
        
        PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1720d1aafb31606.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri1720d1aafb31606.exe
        
        Fri1720d1aafb31606.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri175169b9fbe.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri175169b9fbe.exe
        
        Fri175169b9fbe.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        6⤵
        
        PID:3996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Abbassero.wmv
        6⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv
        8⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
        
        Piu.exe.com L
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com L
        9⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:484
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping HRCPJXUV -n 30
        8⤵
        Runs ping.exe
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri179d661f1f6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri179d661f1f6a.exe
        
        Fri179d661f1f6a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 584
      4⤵
      Program crash
      PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3156 -ip 3156
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4436 -ip 4436
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5012 -ip 5012
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1220 -ip 1220
1⤵
PID:8

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1284

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004BC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a29855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri1720d1aafb31606.exe

Filesize
156KB

MD5
cda12ae37191467d0a7d151664ed74aa

SHA1
2625b2e142c848092aa4a51584143ab7ed7d33d2

SHA256
1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e

SHA512
77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri1729cd7988553c85.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri172ae9814895.exe

Filesize
145KB

MD5
8e5905ab95b99aa449ce6831cb3abe0b

SHA1
89b162ce7551cf0a3ec6db6c4b121baa1849d366

SHA256
8258cf68f1464e659ceeff83894a4c653322b1a78ab2f9e494f6d526f6aed5b6

SHA512
f3e765f8420b6089f1182c08c58cc384a5e79d6008ee1a03f5fa7d2d0906d33c899b506f566fa54c6e73e23f5868a1e44cc8cf24678bae67caade9d3081fa2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri175169b9fbe.exe

Filesize
1.4MB

MD5
9816173c0462753439780cd040d546e2

SHA1
cb63512db6f800cc62dfe943a41613b4cbb15484

SHA256
da65a761ea15c24fdb4e322e48d67f914c9399e6c804de75127424211551d51f

SHA512
c9443baaf190b01b36d0d65103634d5f9492acd395ef2b9924e60822d7023dfc40692443362342534db284829ae36302f75d3ebc04d3ebf5bc3107e3b59e46bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri176f955aa5511fdba.exe

Filesize
513KB

MD5
61c8a2149f252302495834d749e1ec4a

SHA1
a701cc1851212090a36c296794d35a535609708f

SHA256
8f8d948716ff8ecdcaf251b41f032803e4d718acc03afcb906a4e19b36fcc8f9

SHA512
5f8cad356044e1f0e272f9bb94f26aedaf72f06b7897af6c856bf1ecaa373df2b23b4bc4fd91b46297a7fb73913b1b4ab8010a83fc8180f5a2f570e8334b45b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri179d661f1f6a.exe

Filesize
8KB

MD5
d1d4b4d26a9b9714a02c252fb46b72ce

SHA1
af9e34a28f8f408853d3cd504f03ae43c03cc24f

SHA256
8a77dd50b720322088fbe92aeba219cc744bd664ff660058b1949c3b9b428bac

SHA512
182929a5ff0414108f74283e77ba044ab359017ace35a06f9f3ebd8b69577c22ecc85705cb908d1aa99d3a20246076bc82a7f6de7e3c4424d4e1dc3a9a6954cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri17a8188770a9.exe

Filesize
900KB

MD5
0a0d22f1c9179a67d04166de0db02dbb

SHA1
106e55bd898b5574f9bd33dac9f3c0b95cecd90d

SHA256
a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac

SHA512
8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri17dba383b62780.exe

Filesize
248KB

MD5
d23c06e25b4bd295e821274472263572

SHA1
9ad295ec3853dc465ae77f9479f8c4f76e2748b8

SHA256
f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c

SHA512
122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\Fri17f4e48359be02.exe

Filesize
1.5MB

MD5
df80b76857b74ae1b2ada8efb2a730ee

SHA1
5653be57533c6eb058fed4963a25a676488ef832

SHA256
5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd

SHA512
060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CF88027\setup_install.exe

Filesize
2.1MB

MD5
ce4daa7e7792d487f08716b7cf3ebb01

SHA1
1f355b25c4a27dbbbf3fc466bd7e94e8d4f571b7

SHA256
41cb2b3b30ab6edad9743d61fe2a68a352789d2ccff66a5265fc4edeab13cb70

SHA512
d028da621e4d465a8fb9c94de4ae1c3d9320060d1cfabb80d494cdd56c996cff024521187ba631fa007cc89570c9babad39fe665541b14391f8f1cd85e5b56f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Abbassero.wmv

Filesize
534B

MD5
697af31c63a3d02a3e39109027671e68

SHA1
8a7083bc918366b05f75e54853cc39a45cc0da7c

SHA256
6cb806bec68db2c4f5aee59c4f604b502a4266f020cdf408e4dc543974b88036

SHA512
12a0b4f4023e04afe7515da738a4574931ff1d7538e264c93eef6142675be6bf83cdd590bbdaa6f704da9a78addd6b111a0bf23542f5c11d65b213feeaf8a8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riaprirmi.wmv

Filesize
577KB

MD5
9d64d14627e79c6f733c74a2049c334d

SHA1
771f3b69b8954df0134c5f750a92aa521a2d9a36

SHA256
0d16e628415ab84ab9d56af4587fe1419acdb5806b7d9dda552a5bf66a5b56c6

SHA512
433da42bd563ff43e5e4ce399b9bab8bb64a62fc67aea8114b49b4a1e8e4b0bdba68ade2e70b5a62cb4417e06200e2dfb5fe8bb6ca9141947148d22af09223db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rinnovella.wmv

Filesize
634KB

MD5
77b02472e42d7fdae3f1f39cfc5d9158

SHA1
f5f4570b452b6554e0ac7c9ab476ca6db9320f29

SHA256
111b913a0dab95cd7efaaca4676b1ea47113ebd0f8e3b4a6707af0fa62337a97

SHA512
945a6727e0d0f98db230b93933e3fa20ea4b5e98d2e6e03374e6718d2cd5097a20f8a5dc4cb4e00a9f070286a623f7719cc1ee9a5f9910a6156fb29ce8f559d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rugiada.wmv

Filesize
872KB

MD5
48c3a0e572e8b258f5d9f4891278ea7a

SHA1
db742db08c27bd7f74977d53ba532a5fae6e3cad

SHA256
ed7cf7296658bc2aae125c803ce7e6242397f7ed783f8852708d2c558fc6e75e

SHA512
615542411ff6fbec3ac03573ab6b975a10056b51541503ac9ee8f683b9f4875d7f5f00ed8c19a07d25b5daea0ef39fe7ef45414b1e6dc7d5d45147172c33f672

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_msrukwuy.vx5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
4.1MB

MD5
09c8df8640a8e73a7ce0584e8ed299c3

SHA1
bc5cdfcb5320bc112db2b863af110ceca1fdf85c

SHA256
bab08164f7128f3ac0418df028c40a65684a0fb4b060403d6981a8c7ab318134

SHA512
88b9e4568d2baa80d9b83d2c078e9eeb7f55d2489193dae8c8aa6199f6ab0558c18f13ad27e3c612fe5b921ed241696229a52f2ab2fbef0e636cdc73d81a3361

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll

Filesize
1KB

MD5
7dbb07a7cb2c54c585f3279dda7df1a8

SHA1
e992a14dcf95635e113a2c3425f9c77d5a1cb64c

SHA256
472efc3810c32ebf2072bd2b2424d65e0aceacbb45ba61d14bd78f4e1f412a43

SHA512
83dc66c0853e570e8ebd7b2575b244ef845acc069ba62591fa1546d405d370fa9e55bce006aa34e695663757ed0716489947ff64259e86793beb631c7306be17

Download Submit
C:\Windows\System32\perfc009.dat

Filesize
132KB

MD5
eff169e315d4831710128954078829fe

SHA1
898d07e9938cefa58f4af9b0b900484f28b0919d

SHA256
135153cad80349636f1854b497ea23b30d4e5b4960963ce1bfa3ba6c61e9e1d8

SHA512
7d8ce5c85f8c4ac1bcf2509783d3e892c44199aac6a9cc36ee7e0781607ad8b04073b1da36ecc0b9f95a4941c2fe181ae80bddb9eed16c7c721eee446441de1d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
699KB

MD5
a89ae42f5a026c19299f9fa3278556cd

SHA1
ec0a61aa2b89c9f80c734006446f124530e0f66b

SHA256
94ddaf67c6973113ef2992feab11bd2147194541c8c8efc82f7b51e89fc08a25

SHA512
fad978dd060c6a507d8be487d8478f4f550c2e3fa440c8b3f90c19771f9e2b0d34ead3fad6f026ea233bbd5ec0f5274b7dc6bab4ea4d090322d4406edd3a836e

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
29KB

MD5
ffdeea82ba4a5a65585103dd2a922dfe

SHA1
094c3794503245cc7dfa9e222d3504f449a5400b

SHA256
c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

SHA512
7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

Download Submit
memory/484-177-0x0000000004CB0000-0x0000000004D53000-memory.dmp

Filesize
652KB

Download
memory/484-179-0x0000000004CB0000-0x0000000004D53000-memory.dmp

Filesize
652KB

Download
memory/484-180-0x0000000004CB0000-0x0000000004D53000-memory.dmp

Filesize
652KB

Download
memory/484-178-0x0000000004CB0000-0x0000000004D53000-memory.dmp

Filesize
652KB

Download
memory/484-176-0x0000000004CB0000-0x0000000004D53000-memory.dmp

Filesize
652KB

Download
memory/484-175-0x0000000004CB0000-0x0000000004D53000-memory.dmp

Filesize
652KB

Download
memory/2648-165-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/2648-172-0x0000000007A50000-0x0000000007A58000-memory.dmp

Filesize
32KB

Download
memory/2648-109-0x0000000005650000-0x0000000005C7A000-memory.dmp

Filesize
6.2MB

Download
memory/2648-171-0x0000000007A60000-0x0000000007A7A000-memory.dmp

Filesize
104KB

Download
memory/2648-112-0x0000000005620000-0x0000000005642000-memory.dmp

Filesize
136KB

Download
memory/2648-113-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/2648-114-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/2648-123-0x0000000005ED0000-0x0000000006227000-memory.dmp

Filesize
3.3MB

Download
memory/2648-99-0x0000000004F30000-0x0000000004F66000-memory.dmp

Filesize
216KB

Download
memory/2648-170-0x0000000007970000-0x0000000007985000-memory.dmp

Filesize
84KB

Download
memory/2648-169-0x0000000007960000-0x000000000796E000-memory.dmp

Filesize
56KB

Download
memory/2648-168-0x0000000007920000-0x0000000007931000-memory.dmp

Filesize
68KB

Download
memory/2648-167-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/2648-166-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/2648-137-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/2648-164-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/2648-138-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/2648-162-0x0000000007650000-0x00000000076F4000-memory.dmp

Filesize
656KB

Download
memory/2648-161-0x00000000073B0000-0x00000000073CE000-memory.dmp

Filesize
120KB

Download
memory/2648-151-0x0000000007370000-0x00000000073A4000-memory.dmp

Filesize
208KB

Download
memory/2648-152-0x0000000075020000-0x000000007506C000-memory.dmp

Filesize
304KB

Download
memory/2656-182-0x0000000000D40000-0x0000000000D9D000-memory.dmp

Filesize
372KB

Download
memory/3156-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3156-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3156-69-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3156-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3156-126-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3156-68-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/3156-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3156-131-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3156-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3156-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3156-132-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3156-66-0x0000000000DD0000-0x0000000000E5F000-memory.dmp

Filesize
572KB

Download
memory/3156-64-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3156-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3156-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3156-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3156-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3156-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3156-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3156-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3156-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3704-184-0x00007FFFCEB90000-0x00007FFFCEBE7000-memory.dmp

Filesize
348KB

Download
memory/4540-97-0x00000000003B0000-0x00000000003DC000-memory.dmp

Filesize
176KB

Download
memory/4540-108-0x00000000023B0000-0x00000000023D2000-memory.dmp

Filesize
136KB

Download
memory/5020-96-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/5020-183-0x00007FFFCDA60000-0x00007FFFCDAFE000-memory.dmp

Filesize
632KB

Download