ec6aebaf897b7513438d0a9e948faa76074e04a0c4cf9921c8c7ae6c1895d13e

Analysis

max time kernel
112s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a07b7dc7fce2caf921093b5017e6b0N.exe
Size

170KB
MD5

50a07b7dc7fce2caf921093b5017e6b0
SHA1

3a8fa404134394ce3a17e1ed41d3fafe243462da
SHA256

ec6aebaf897b7513438d0a9e948faa76074e04a0c4cf9921c8c7ae6c1895d13e
SHA512

4176776c68fcf05112eccb45f19ecc330dd91e8ea2113846d3a12c00ef1e5a7dcd3f9e32bc4be2a2b83cd3278c6bb5c762d405573a418073151c780a7dade306
SSDEEP

3072:KJpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7Ux:MAm5oh63laEo+pXX1pkF8mxeq5+4m71t

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2948	nlcmt.exe
2656	nlcmt.exe
1732	nlcmt.exe
2344	nlcmt.exe
284	nlcmt.exe
2448	cwrss.exe

Loads dropped DLL 9 IoCs

pid	Process
2824	50a07b7dc7fce2caf921093b5017e6b0N.exe
2824	50a07b7dc7fce2caf921093b5017e6b0N.exe
2824	50a07b7dc7fce2caf921093b5017e6b0N.exe
2824	50a07b7dc7fce2caf921093b5017e6b0N.exe
2656	nlcmt.exe
2948	nlcmt.exe
2948	nlcmt.exe
284	nlcmt.exe
284	nlcmt.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	nlcmt.exe
File opened (read-only)	\??\y:	nlcmt.exe
File opened (read-only)	\??\T:	nlcmt.exe
File opened (read-only)	\??\G:	nlcmt.exe
File opened (read-only)	\??\K:	nlcmt.exe
File opened (read-only)	\??\G:	cwrss.exe
File opened (read-only)	\??\X:	cwrss.exe
File opened (read-only)	\??\R:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\M:	nlcmt.exe
File opened (read-only)	\??\E:	nlcmt.exe
File opened (read-only)	\??\R:	nlcmt.exe
File opened (read-only)	\??\p:	nlcmt.exe
File opened (read-only)	\??\M:	cwrss.exe
File opened (read-only)	\??\Z:	cwrss.exe
File opened (read-only)	\??\A:	nlcmt.exe
File opened (read-only)	\??\U:	nlcmt.exe
File opened (read-only)	\??\Z:	nlcmt.exe
File opened (read-only)	\??\H:	nlcmt.exe
File opened (read-only)	\??\w:	nlcmt.exe
File opened (read-only)	\??\K:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\G:	nlcmt.exe
File opened (read-only)	\??\I:	nlcmt.exe
File opened (read-only)	\??\W:	nlcmt.exe
File opened (read-only)	\??\g:	nlcmt.exe
File opened (read-only)	\??\O:	nlcmt.exe
File opened (read-only)	\??\T:	nlcmt.exe
File opened (read-only)	\??\b:	nlcmt.exe
File opened (read-only)	\??\e:	cwrss.exe
File opened (read-only)	\??\u:	nlcmt.exe
File opened (read-only)	\??\n:	cwrss.exe
File opened (read-only)	\??\a:	nlcmt.exe
File opened (read-only)	\??\b:	cwrss.exe
File opened (read-only)	\??\v:	nlcmt.exe
File opened (read-only)	\??\W:	nlcmt.exe
File opened (read-only)	\??\j:	cwrss.exe
File opened (read-only)	\??\S:	nlcmt.exe
File opened (read-only)	\??\I:	nlcmt.exe
File opened (read-only)	\??\m:	nlcmt.exe
File opened (read-only)	\??\l:	nlcmt.exe
File opened (read-only)	\??\o:	nlcmt.exe
File opened (read-only)	\??\O:	nlcmt.exe
File opened (read-only)	\??\S:	nlcmt.exe
File opened (read-only)	\??\K:	cwrss.exe
File opened (read-only)	\??\P:	nlcmt.exe
File opened (read-only)	\??\G:	nlcmt.exe
File opened (read-only)	\??\T:	nlcmt.exe
File opened (read-only)	\??\k:	nlcmt.exe
File opened (read-only)	\??\s:	nlcmt.exe
File opened (read-only)	\??\P:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\B:	nlcmt.exe
File opened (read-only)	\??\h:	cwrss.exe
File opened (read-only)	\??\u:	cwrss.exe
File opened (read-only)	\??\V:	nlcmt.exe
File opened (read-only)	\??\V:	cwrss.exe
File opened (read-only)	\??\q:	cwrss.exe
File opened (read-only)	\??\r:	cwrss.exe
File opened (read-only)	\??\X:	nlcmt.exe
File opened (read-only)	\??\X:	nlcmt.exe
File opened (read-only)	\??\R:	cwrss.exe
File opened (read-only)	\??\S:	cwrss.exe
File opened (read-only)	\??\y:	cwrss.exe
File opened (read-only)	\??\E:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\U:	50a07b7dc7fce2caf921093b5017e6b0N.exe
File opened (read-only)	\??\Y:	nlcmt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\GA6XLRVP.txt	cwrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\GA6XLRVP.txt	cwrss.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GSE84WY0.txt	cwrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cwrss.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlcmt.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 80cdc42dd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = 80db212cd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000011000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = c020f140d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = a0832353d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = 80e3f540d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = a0b72d42d0feda01	cwrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	cwrss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 20a0d72fd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000017000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 206cc22dd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = e070392ed0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000060000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 00193042d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = 80891215d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 80891215d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000025000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000044000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = e0d62e2dd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = 2035632dd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = e039e540d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 80932642d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = 206cc22dd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = 00edd82ed0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = c0fc622fd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000012000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = c0a72a53d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 80d8e240d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000003c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\fe-84-2a-56-18-45	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 40e0982cd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000015000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = e070392ed0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = e09fcf2cd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 8046962ed0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000043000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = a0154f2cd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000001d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = c0787e2ed0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000023000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = a0c2352fd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = 208d0641d0feda01	cwrss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecision = "0"	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000001f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000046000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000003b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 40a9392cd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 60674b2dd0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 2082f340d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000005e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{975E74F0-6DFD-44E5-B979-B23749EEE7CB}\WpadDecisionTime = 80d8e240d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 80a28213d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 00edd82ed0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000002b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 009d0930d0feda01	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cwrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-84-2a-56-18-45\WpadDecisionTime = 607a3242d0feda01	cwrss.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\runas\command	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\DefaultIcon	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\ = "dcore"	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\runas\command\IsolatedCommand = "\"%1\" %*"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\CDRM\\nlcmt.exe\" /START \"%1\" %*"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CDRM\\nlcmt.exe\" /START \"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\open\command\IsolatedCommand = "\"%1\" %*"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dcore	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\open	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\Content-Type = "application/x-msdownload"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell\open	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell\runas\command	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell\runas	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\runas\command\ = "\"%1\" %*"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dcore\shell\runas\command	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\ = "Application"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell\open\command	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\DefaultIcon\ = "%1"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell\runas\command	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\ = "Application"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dcore\shell\open\command	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\dcore\DefaultIcon	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\DefaultIcon\ = "%1"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell\open	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell\runas	nlcmt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell\open\command\IsolatedCommand = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\open\command\ = "\"C:\\ProgramData\\CDRM\\nlcmt.exe\" /START \"%1\" %*"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "dcore"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CDRM\\nlcmt.exe\" /START \"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\shell\runas\command\ = "\"%1\" %*"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe	nlcmt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\DefaultIcon	nlcmt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\runas	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	50a07b7dc7fce2caf921093b5017e6b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\dcore\DefaultIcon\ = "%1"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.exe\shell\open\command	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\Content-Type = "application/x-msdownload"	50a07b7dc7fce2caf921093b5017e6b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dcore\shell\open\command	50a07b7dc7fce2caf921093b5017e6b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	50a07b7dc7fce2caf921093b5017e6b0N.exe
2948	nlcmt.exe
2656	nlcmt.exe
1732	nlcmt.exe
2344	nlcmt.exe
284	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe
2448	cwrss.exe
2656	nlcmt.exe
2344	nlcmt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe
Token: SeIncBasePriorityPrivilege	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe
Token: SeIncBasePriorityPrivilege	2656	nlcmt.exe
Token: SeIncBasePriorityPrivilege	2948	nlcmt.exe
Token: SeIncBasePriorityPrivilege	284	nlcmt.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2344	nlcmt.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2948	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe	29
PID 2824 wrote to memory of 2948	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe	29
PID 2824 wrote to memory of 2948	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe	29
PID 2824 wrote to memory of 2948	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe	29
PID 2824 wrote to memory of 2656	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe	30
PID 2824 wrote to memory of 2656	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe	30
PID 2824 wrote to memory of 2656	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe	30
PID 2824 wrote to memory of 2656	2824	50a07b7dc7fce2caf921093b5017e6b0N.exe	30
PID 2656 wrote to memory of 1732	2656	nlcmt.exe	31
PID 2656 wrote to memory of 1732	2656	nlcmt.exe	31
PID 2656 wrote to memory of 1732	2656	nlcmt.exe	31
PID 2656 wrote to memory of 1732	2656	nlcmt.exe	31
PID 2948 wrote to memory of 2344	2948	nlcmt.exe	32
PID 2948 wrote to memory of 2344	2948	nlcmt.exe	32
PID 2948 wrote to memory of 2344	2948	nlcmt.exe	32
PID 2948 wrote to memory of 2344	2948	nlcmt.exe	32
PID 284 wrote to memory of 2448	284	nlcmt.exe	34
PID 284 wrote to memory of 2448	284	nlcmt.exe	34
PID 284 wrote to memory of 2448	284	nlcmt.exe	34
PID 284 wrote to memory of 2448	284	nlcmt.exe	34

C:\Users\Admin\AppData\Local\Temp\50a07b7dc7fce2caf921093b5017e6b0N.exe
"C:\Users\Admin\AppData\Local\Temp\50a07b7dc7fce2caf921093b5017e6b0N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\ProgramData\CDRM\nlcmt.exe
  "C:\ProgramData\CDRM\nlcmt.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Roaming\CDRM\nlcmt.exe
    "C:\Users\Admin\AppData\Roaming\CDRM\nlcmt.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2344
- C:\ProgramData\CDRM\nlcmt.exe
  "C:\ProgramData\CDRM\nlcmt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\ProgramData\CDRM\nlcmt.exe
    "C:\ProgramData\CDRM\nlcmt.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1732

C:\ProgramData\CDRM\nlcmt.exe
C:\ProgramData\CDRM\nlcmt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:284
- C:\ProgramData\NTService0\cwrss.exe
  "C:\ProgramData\NTService0\cwrss.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\Q905NGKQ.txt

Filesize
14B

MD5
feed726ebc1f03353dbb7c216a8c3d65

SHA1
e13b2684fea4068faef8cd1881c2e9f3a1c0b694

SHA256
299f6464589de6ee619d792fd3714935256a545530fd0a4f8422982b0b24b259

SHA512
7d3f57ff83cbbe4bb57a06399749798a58a15edb29b49ff343825496a1a34a898fadebf866983be287bea2be0f604d0ba7b32847b1d0e0839078c0f36ecf0c0b

Download Submit
\ProgramData\CDRM\nlcmt.exe

Filesize
170KB

MD5
a9a19335d08a0c83a8a82e2a11e0e192

SHA1
b3f68055d337a3d39d47937d299b42b3a3a6d334

SHA256
3439bf5ccea140a11f2f5917a538b73b9ef826a9edfd84e9b2a9614c546ca4b6

SHA512
ecb2715579fcea1042fc2fe1b8b76373589b9404a4745b295906aad9f6172d19ec3bb326a050d16bd50016b598f337feb422f13202aa2694ec8eff5fbeb9690d

Download Submit
\ProgramData\NTService0\cwrss.exe

Filesize
170KB

MD5
ecbab69fb54e03c952d997dc86fc639c

SHA1
bdc5e4c4e306d7e6b33bddc55125a43b38514389

SHA256
eebdfc976f82ee3d226dd02fdb647cfd1d157b01a73afce5584cc37a2f6a9514

SHA512
196c2d52cac4f12d6025c8407dc12b4b8022cb819c4502146d3db9932a230a800a8a8ecf05d9bf65db80696b8f66d00459e6f9b06b570cbc843b3b60ac2372bd

Download Submit
\Users\Admin\AppData\Roaming\CDRM\nlcmt.exe

Filesize
170KB

MD5
15e2750e3fccb49d185fbe320d75bc8e

SHA1
c7e8b83200f906e0223fbcecb51200ba298ef286

SHA256
b9c6385aee843c187939c614892122ff5886b77d67564a108a69f3d8eab7103c

SHA512
16776aa17289f73697486a0829ed526387361707bf866b5b22c043a6d79f749d144a230c1851f982691f0948188c1267252dc62136d7b6aa2b1c62bd6d948adf

Download Submit