add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Size

10.0MB
MD5

e8215eecb087ae493e3d60e44c543e1f
SHA1

7a90ffd283b931ac4ba441e8e7c3f1f1f6493a4f
SHA256

add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257
SHA512

ccf6376823724b6f7c2039ed5035052bdcad519b7e19328fb658791c062fdfed27b232fd867b663a648d43548fb86b178c587b690c4ed9907bb07fb85a2a9d24
SSDEEP

196608:ZPchqgbKT9E8kJ2///AsQGdsxMmwhHHlIBD2V9fj43vumWNiFYZJSz2+:ZPcreT7/9hsx6SFm7SvgaY3SzZ

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-47-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-55-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-53-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-51-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-49-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-45-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-43-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-41-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-39-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-35-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-33-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-31-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-29-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-27-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-25-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-23-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-21-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-19-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-17-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-15-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-14-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-13-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2352-37-0x00000000002B0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/1720-109-0x0000000000370000-0x00000000003AE000-memory.dmp	upx
behavioral1/memory/1720-107-0x0000000000370000-0x00000000003AE000-memory.dmp	upx
behavioral1/memory/1720-105-0x0000000000370000-0x00000000003AE000-memory.dmp	upx
behavioral1/memory/1720-103-0x0000000000370000-0x00000000003AE000-memory.dmp	upx
behavioral1/memory/1720-101-0x0000000000370000-0x00000000003AE000-memory.dmp	upx
behavioral1/memory/1720-99-0x0000000000370000-0x00000000003AE000-memory.dmp	upx
behavioral1/memory/1720-98-0x0000000000370000-0x00000000003AE000-memory.dmp	upx
behavioral1/memory/1720-97-0x0000000000370000-0x00000000003AE000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysqs.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File created	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File opened for modification	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File created	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File created	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File opened for modification	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File created	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File opened for modification	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File created	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File created	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File opened for modification	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
File opened for modification	C:\Windows\MultiGame.dll	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeDebugPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeDebugPrivilege	1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeDebugPrivilege	1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: 33	1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
Token: SeIncBasePriorityPrivilege	1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
840	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1720	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	33
PID 2352 wrote to memory of 1720	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	33
PID 2352 wrote to memory of 1720	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	33
PID 2352 wrote to memory of 1720	2352	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	33
PID 1720 wrote to memory of 2168	1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	35
PID 1720 wrote to memory of 2168	1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	35
PID 1720 wrote to memory of 2168	1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	35
PID 1720 wrote to memory of 2168	1720	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	35
PID 2168 wrote to memory of 880	2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	37
PID 2168 wrote to memory of 880	2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	37
PID 2168 wrote to memory of 880	2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	37
PID 2168 wrote to memory of 880	2168	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	37
PID 880 wrote to memory of 2916	880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	39
PID 880 wrote to memory of 2916	880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	39
PID 880 wrote to memory of 2916	880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	39
PID 880 wrote to memory of 2916	880	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	39
PID 2916 wrote to memory of 840	2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	41
PID 2916 wrote to memory of 840	2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	41
PID 2916 wrote to memory of 840	2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	41
PID 2916 wrote to memory of 840	2916	add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe	41

C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
"C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
  C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
    C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
      C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
        
        C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
        
        C:\Users\Admin\AppData\Local\Temp\add00a82bea2d25bbf6bf8201b5cfd39af0bbc44352061b2eee437882e1c5257.exe
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5DC9.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DDA.tmp

Filesize
813KB

MD5
5e0db2d8b2750543cd2ebb9ea8e6cdd3

SHA1
8b997b38e179cd03c0a2e87bddbc1ebca39a8630

SHA256
01eb95fa3943cf3c6b1a21e473a5c3cb9fcbce46913b15c96cac14e4f04075b4

SHA512
38a2064f7a740feb6dba46d57998140f16da7b9302bfe217a24d593220c2340f854645d05993aac6b7ecf819b5c09e062c5c81ba29f79d919ae518e6de071716

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DDB.tmp

Filesize
304KB

MD5
d6d3ad7bf1d6f6ce9547613ed5e170a2

SHA1
6a20fe18619dc46e379c42f12ed761749053cbf9

SHA256
ea3bd7fec193a8cfe1d5736301acadc476fb6aac5475a45776d0a638e9845445

SHA512
2b900118d582eb8bba1612c67909bda97b2cd8755a00de1135c2809ab65385523a2f1c74eff7b37fc4ada585decfab2febbab9247d46038787a9ac786747c222

Download Submit
C:\Users\Admin\Desktop\Qs-¿ì½Ý·½Ê½.lnk

Filesize
1KB

MD5
aadeb087ae055e07dc7e8f33ccd1a261

SHA1
822bc3d203b333d720904e4499cb354557d36050

SHA256
d545f81968872c5945ebd9471ec6c83b5d1adcab3a9658941ae047f8a4329d27

SHA512
32cca95d4d26355ff561e5a0ad61ac9ec9f0eccad91aeb7d5f2b2ac5aac113bea042d10e6f782bb443e34aa02bab2a74a265c814dab4b5c7e46e49aca74dae10

Download Submit
C:\Users\Admin\Desktop\Qs-¿ì½Ý·½Ê½.lnk

Filesize
1KB

MD5
84bca55e0f6a45904725d0f186cfbec4

SHA1
0c4c0f2073806d70f0fe08d75aa3c85aad9acd16

SHA256
5f0203108671b34787c587a01c082671ffc880ca05a48e7caaee4b5cced3c414

SHA512
8b1509c926a125721f95c07efd9796fd0ee653a7a0136b8ed8647db51ac8f0f1d582a10d9418a1fe0617e81acb53570b82e52bfa9b009f9110e142ea37699669

Download Submit
C:\Users\Admin\Desktop\Qs-¿ì½Ý·½Ê½.lnk

Filesize
1KB

MD5
613d4e10cd32b460e76dc344244e1228

SHA1
4de4aacd30bbf4b01038b8ceaea287a5e236c6fd

SHA256
ea0822d30f446d2b56305655856d6c6e9270bcbc88c999828c8f4a7cc8cf513c

SHA512
026c39292f8001999e3203b4ce136d618712baea88defe82bef204fabc6984d59601c6b183d327047ddbb0be7b423c09e6d32d39534750a544f4f656772b086e

Download Submit
C:\Windows\MultiGame.dll

Filesize
155KB

MD5
e81487a471f97460148649350f875f84

SHA1
e2d0287ec204e3d499b7d27988bc8a55e69d338e

SHA256
96e89726f45eb75958bd4c4f508ef38336da83eca64993d39c9335600525a20d

SHA512
9032636dd2bfb75c20deb14ad3a4e2e25e8acfa72f6830c779e759e15d7c0e0acc649bf157500917b01dd60aecd58f6ee2e055dfeea5022829cd757e5241f7d7

Download Submit
memory/1720-84-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/1720-97-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1720-98-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1720-99-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1720-101-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1720-103-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1720-105-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1720-107-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1720-109-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/2352-35-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-71-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-27-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-60-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-25-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-61-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-23-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-21-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-19-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-17-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-15-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-14-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-13-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-37-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-62-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-63-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-64-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-65-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-66-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-67-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-68-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-69-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-70-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-29-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-72-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-73-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-81-0x0000000000BD4000-0x000000000106A000-memory.dmp

Filesize
4.6MB

Download
memory/2352-82-0x0000000074390000-0x00000000743BB000-memory.dmp

Filesize
172KB

Download
memory/2352-31-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-33-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-0-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-59-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-39-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-41-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-43-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-45-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-58-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-49-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-142-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-57-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-51-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-56-0x0000000000400000-0x0000000001A6C000-memory.dmp

Filesize
22.4MB

Download
memory/2352-53-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-55-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-47-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2352-3-0x0000000000BD4000-0x000000000106A000-memory.dmp

Filesize
4.6MB

Download