dde8be8cfce8301a87107099347143c29ddc7b273a59a529c020fa2cbeb66904

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C-ZoneGameInstaller.exe
Size

23KB
MD5

dbad973310fb77b49527f4cfda70d1a8
SHA1

208fd27c5431722ad089f06dd6d9afde2730e6a2
SHA256

716f6163165431c7fa4cae847071d696732ed8d195d128f826d12f618c3e8652
SHA512

d5e073f85b06b4746d6370aa99857a20c389affc2b762e1846ca534896b3b64feaf236231d25c7974cfee4cbb2791e7beba2bc66f7b04550b0673df75c0a16f0
SSDEEP

384:DL0IwpSIdpr1pATdaLi0uhPLTund791sICJbt5j8KoQrJHKTV:H0ITyzRfuIdPcKR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	C-ZoneGameInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12428	dwm.exe
Token: SeChangeNotifyPrivilege	12428	dwm.exe
Token: 33	12428	dwm.exe
Token: SeIncBasePriorityPrivilege	12428	dwm.exe
Token: SeShutdownPrivilege	12428	dwm.exe
Token: SeCreatePagefilePrivilege	12428	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2680	2748	C-ZoneGameInstaller.exe	84
PID 2748 wrote to memory of 2680	2748	C-ZoneGameInstaller.exe	84
PID 2680 wrote to memory of 2996	2680	cmd.exe	86
PID 2680 wrote to memory of 2996	2680	cmd.exe	86
PID 2680 wrote to memory of 2732	2680	cmd.exe	88
PID 2680 wrote to memory of 2732	2680	cmd.exe	88
PID 2680 wrote to memory of 2028	2680	cmd.exe	90
PID 2680 wrote to memory of 2028	2680	cmd.exe	90
PID 2680 wrote to memory of 3476	2680	cmd.exe	92
PID 2680 wrote to memory of 3476	2680	cmd.exe	92
PID 2680 wrote to memory of 4380	2680	cmd.exe	94
PID 2680 wrote to memory of 4380	2680	cmd.exe	94
PID 2680 wrote to memory of 2676	2680	cmd.exe	96
PID 2680 wrote to memory of 2676	2680	cmd.exe	96
PID 2680 wrote to memory of 4984	2680	cmd.exe	98
PID 2680 wrote to memory of 4984	2680	cmd.exe	98
PID 2680 wrote to memory of 3156	2680	cmd.exe	100
PID 2680 wrote to memory of 3156	2680	cmd.exe	100
PID 2680 wrote to memory of 2976	2680	cmd.exe	102
PID 2680 wrote to memory of 2976	2680	cmd.exe	102
PID 2680 wrote to memory of 5028	2680	cmd.exe	104
PID 2680 wrote to memory of 5028	2680	cmd.exe	104
PID 2680 wrote to memory of 828	2680	cmd.exe	106
PID 2680 wrote to memory of 828	2680	cmd.exe	106
PID 2680 wrote to memory of 2136	2680	cmd.exe	108
PID 2680 wrote to memory of 2136	2680	cmd.exe	108
PID 2680 wrote to memory of 4732	2680	cmd.exe	110
PID 2680 wrote to memory of 4732	2680	cmd.exe	110
PID 2680 wrote to memory of 3536	2680	cmd.exe	112
PID 2680 wrote to memory of 3536	2680	cmd.exe	112
PID 2680 wrote to memory of 2216	2680	cmd.exe	114
PID 2680 wrote to memory of 2216	2680	cmd.exe	114
PID 2680 wrote to memory of 2616	2680	cmd.exe	116
PID 2680 wrote to memory of 2616	2680	cmd.exe	116
PID 2680 wrote to memory of 3576	2680	cmd.exe	118
PID 2680 wrote to memory of 3576	2680	cmd.exe	118
PID 2680 wrote to memory of 672	2680	cmd.exe	120
PID 2680 wrote to memory of 672	2680	cmd.exe	120
PID 2680 wrote to memory of 4824	2680	cmd.exe	122
PID 2680 wrote to memory of 4824	2680	cmd.exe	122
PID 2680 wrote to memory of 2272	2680	cmd.exe	124
PID 2680 wrote to memory of 2272	2680	cmd.exe	124
PID 2680 wrote to memory of 2296	2680	cmd.exe	125
PID 2680 wrote to memory of 2296	2680	cmd.exe	125
PID 2680 wrote to memory of 232	2680	cmd.exe	128
PID 2680 wrote to memory of 232	2680	cmd.exe	128
PID 2680 wrote to memory of 2832	2680	cmd.exe	130
PID 2680 wrote to memory of 2832	2680	cmd.exe	130
PID 2680 wrote to memory of 748	2680	cmd.exe	131
PID 2680 wrote to memory of 748	2680	cmd.exe	131
PID 2680 wrote to memory of 4736	2680	cmd.exe	134
PID 2680 wrote to memory of 4736	2680	cmd.exe	134
PID 2680 wrote to memory of 4908	2680	cmd.exe	136
PID 2680 wrote to memory of 4908	2680	cmd.exe	136
PID 2680 wrote to memory of 2052	2680	cmd.exe	138
PID 2680 wrote to memory of 2052	2680	cmd.exe	138
PID 2680 wrote to memory of 1324	2680	cmd.exe	140
PID 2680 wrote to memory of 1324	2680	cmd.exe	140
PID 2680 wrote to memory of 3328	2680	cmd.exe	142
PID 2680 wrote to memory of 3328	2680	cmd.exe	142
PID 2680 wrote to memory of 4216	2680	cmd.exe	144
PID 2680 wrote to memory of 4216	2680	cmd.exe	144
PID 2680 wrote to memory of 808	2680	cmd.exe	145
PID 2680 wrote to memory of 808	2680	cmd.exe	145

C:\Users\Admin\AppData\Local\Temp\C-ZoneGameInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\C-ZoneGameInstaller.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2996
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2732
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2028
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3476
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4380
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2676
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4984
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3156
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2976
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5028
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:828
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2136
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4732
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3536
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2216
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2616
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3576
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:672
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4824
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2272
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2296
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:232
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2832
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:748
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4736
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4908
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2052
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1324
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3328
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4216
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:808
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:592
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4548
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2408
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1196
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1868
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4304
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3896
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3368
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1352
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4200
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3604
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4848
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4104
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5076
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5236
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5264
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5272
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5280
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5416
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5444
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5492
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5500
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5544
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5656
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5672
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5680
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5688
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5712
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5740
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5764
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5784
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6024
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6040
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6060
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5724
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5828
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6152
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6168
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6276
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6284
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6308
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6316
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6364
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6456
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6476
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6588
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6612
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6632
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6656
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6664
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6692
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6856
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6880
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6888
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6988
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6996
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7004
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7048
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7068
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7076
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7088
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7096
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7104
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7112
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7136
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7144
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7160
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6628
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7024
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7172
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7208
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7236
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7284
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7736
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7768
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7796
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7872
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7900
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7916
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8004
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8032
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8092
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8108
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8124
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:6904
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7928
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8156
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8204
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8212
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8236
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8244
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8436
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8460
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8468
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8488
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8536
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8544
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8560
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8596
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8796
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8812
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8820
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8828
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8844
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8852
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8868
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8876
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8904
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8912
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8920
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8944
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8968
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:8976
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9008
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9060
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9076
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9100
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9368
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9500
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9528
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9536
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9560
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9576
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9600
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9608
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9624
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9648
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9656
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9700
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9720
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9796
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10072
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10080
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10096
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10140
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10208
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10232
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10260
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10268
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10292
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10312
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10364
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10484
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10500
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10528
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10536
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10544
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10552
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10568
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10620
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10628
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10636
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10712
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10744
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10776
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10816
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11152
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11168
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11184
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11224
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11256
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:10288
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11272
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11288
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11296
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11304
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11312
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11344
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11352
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11360
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11368
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11400
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11416
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11808
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11824
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11832
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11856
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11888
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11924
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11948
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11972
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:12012
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:12028
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11284
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11324
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4928
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:11980
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:12068

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
6KB

MD5
5572cd18ed7a535ad28f4960b7115f53

SHA1
5440e150f6c01f10e8e7a0b2eb75a3902bb50426

SHA256
9189a73e275c78ac67e653bbabb1b5950c9910ba5e43ac72fce038da1098fcbd

SHA512
0bb93d7b57d160bd7b9ae39f8f89a2978aef48979a917953998a9c64768372d04c126efcfa6ab684fc04d291fc7df92ff302cd319422e11d2c7f1046a9fdd22b

Download Submit
memory/2748-0-0x00007FFD378A3000-0x00007FFD378A5000-memory.dmp

Filesize
8KB

Download
memory/2748-1-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads