gh0strat | 63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
Size

7.0MB
MD5

80fc186d5e0d36d61aa30e7806847b37
SHA1

dbfb171d5774306ff5437bdf11405c2d09771b76
SHA256

63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219
SHA512

6e9f7077de1da76e05dff833bd6d8f7558441df91db9bddbe339afad4271a76745618337631ef76b22ba47e81f55c8bfb7e1a941a5aa314043286edbef83e622
SSDEEP

196608:2KXbeO7G9Ghf7Ejo+xyvsLD26vhn2IGJ3:b7GEhio0yI265GJ3

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 6 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2944-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2944-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2672-39-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2672-53-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2672-58-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3068-191-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00080000000195c6-6.dat	family_gh0strat
behavioral1/memory/2944-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2944-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2672-39-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2672-53-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2672-58-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3068-191-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe
File opened for modification	C:\Windows\system32\drivers\QAssist.sys	sainbox.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259482203.txt"	R.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	sainbox.exe

Executes dropped EXE 31 IoCs

pid	Process
2792	R.exe
2944	N.exe
2848	TXPlatfor.exe
2672	TXPlatfor.exe
2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2184	IK_Multimedia_Keygen.exe
1696	S.exe
1872	._cache_IK_Multimedia_Keygen.exe
2760	Remote Data.exe
2400	._cache_S.exe
592	R.exe
2512	R.exe
2380	N.exe
1956	N.exe
2244	TXPlatfor.exe
2324	Synaptics.exe
704	TXPlatfor.exe
1648	TXPlatfor.exe
800	TXPlatfor.exe
108	HD_._cache_IK_Multimedia_Keygen.exe
2340	._cache_Synaptics.exe
2100	R.exe
3068	HD_._cache_S.exe
888	N.exe
2804	TXPlatfor.exe
2668	keygen.exe
2716	TXPlatfor.exe
2252	HD_._cache_Synaptics.exe
612	sainbox.exe
2192	keygen.exe
1412	sainbox.exe

Loads dropped DLL 40 IoCs

pid	Process
2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2792	R.exe
2892	svchost.exe
2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2848	TXPlatfor.exe
2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2184	IK_Multimedia_Keygen.exe
1696	S.exe
2892	svchost.exe
2184	IK_Multimedia_Keygen.exe
1696	S.exe
2760	Remote Data.exe
1872	._cache_IK_Multimedia_Keygen.exe
2400	._cache_S.exe
2400	._cache_S.exe
1872	._cache_IK_Multimedia_Keygen.exe
2184	IK_Multimedia_Keygen.exe
2184	IK_Multimedia_Keygen.exe
2244	TXPlatfor.exe
1648	TXPlatfor.exe
1872	._cache_IK_Multimedia_Keygen.exe
2324	Synaptics.exe
2324	Synaptics.exe
2340	._cache_Synaptics.exe
2400	._cache_S.exe
2340	._cache_Synaptics.exe
108	HD_._cache_IK_Multimedia_Keygen.exe
108	HD_._cache_IK_Multimedia_Keygen.exe
2668	keygen.exe
2668	keygen.exe
2804	TXPlatfor.exe
2340	._cache_Synaptics.exe
2252	HD_._cache_Synaptics.exe
2252	HD_._cache_Synaptics.exe
2192	keygen.exe
2192	keygen.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	IK_Multimedia_Keygen.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\sainbox.exe	HD_._cache_S.exe
File opened for modification	C:\Windows\SysWOW64\sainbox.exe	HD_._cache_S.exe
File created	C:\Windows\SysWOW64\259482203.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2944-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2944-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2672-39-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/files/0x000600000001a03c-47.dat	upx
behavioral1/memory/2108-51-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2672-53-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2672-58-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2108-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_._cache_S.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IK_Multimedia_Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_IK_Multimedia_Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_._cache_IK_Multimedia_Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sainbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sainbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_S.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2840	cmd.exe
1552	cmd.exe
960	cmd.exe
1676	PING.EXE
3056	PING.EXE
2132	cmd.exe
2424	PING.EXE
2116	PING.EXE
2660	cmd.exe
2240	PING.EXE

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a484-59.dat	nsis_installer_2
behavioral1/files/0x000500000001a49a-177.dat	nsis_installer_1
behavioral1/files/0x000500000001a49a-177.dat	nsis_installer_2
behavioral1/files/0x000500000001a493-181.dat	nsis_installer_2

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	sainbox.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sainbox.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sainbox.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sainbox.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	keygen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	keygen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	keygen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	keygen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	keygen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	keygen.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	keygen.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	keygen.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1676	PING.EXE
2240	PING.EXE
3056	PING.EXE
2424	PING.EXE
2116	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
876	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2400	._cache_S.exe
1872	._cache_IK_Multimedia_Keygen.exe
2340	._cache_Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2668	keygen.exe
2192	keygen.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2672	TXPlatfor.exe
1412	sainbox.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2944	N.exe
Token: SeLoadDriverPrivilege	2672	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2380	N.exe
Token: SeIncBasePriorityPrivilege	1956	N.exe
Token: SeIncBasePriorityPrivilege	888	N.exe
Token: SeIncBasePriorityPrivilege	3068	HD_._cache_S.exe
Token: SeLoadDriverPrivilege	1412	sainbox.exe
Token: 33	2672	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2672	TXPlatfor.exe
Token: 33	1412	sainbox.exe
Token: SeIncBasePriorityPrivilege	1412	sainbox.exe
Token: 33	2672	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2672	TXPlatfor.exe
Token: 33	1412	sainbox.exe
Token: SeIncBasePriorityPrivilege	1412	sainbox.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
1872	._cache_IK_Multimedia_Keygen.exe
1872	._cache_IK_Multimedia_Keygen.exe
2400	._cache_S.exe
2400	._cache_S.exe
2340	._cache_Synaptics.exe
2340	._cache_Synaptics.exe
876	EXCEL.EXE
2192	keygen.exe
2668	keygen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2792	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	30
PID 2772 wrote to memory of 2792	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	30
PID 2772 wrote to memory of 2792	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	30
PID 2772 wrote to memory of 2792	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	30
PID 2772 wrote to memory of 2944	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	33
PID 2772 wrote to memory of 2944	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	33
PID 2772 wrote to memory of 2944	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	33
PID 2772 wrote to memory of 2944	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	33
PID 2772 wrote to memory of 2944	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	33
PID 2772 wrote to memory of 2944	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	33
PID 2772 wrote to memory of 2944	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	33
PID 2944 wrote to memory of 2660	2944	N.exe	35
PID 2944 wrote to memory of 2660	2944	N.exe	35
PID 2944 wrote to memory of 2660	2944	N.exe	35
PID 2944 wrote to memory of 2660	2944	N.exe	35
PID 2848 wrote to memory of 2672	2848	TXPlatfor.exe	36
PID 2848 wrote to memory of 2672	2848	TXPlatfor.exe	36
PID 2848 wrote to memory of 2672	2848	TXPlatfor.exe	36
PID 2848 wrote to memory of 2672	2848	TXPlatfor.exe	36
PID 2848 wrote to memory of 2672	2848	TXPlatfor.exe	36
PID 2848 wrote to memory of 2672	2848	TXPlatfor.exe	36
PID 2848 wrote to memory of 2672	2848	TXPlatfor.exe	36
PID 2772 wrote to memory of 2108	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	38
PID 2772 wrote to memory of 2108	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	38
PID 2772 wrote to memory of 2108	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	38
PID 2772 wrote to memory of 2108	2772	63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	38
PID 2660 wrote to memory of 1676	2660	cmd.exe	39
PID 2660 wrote to memory of 1676	2660	cmd.exe	39
PID 2660 wrote to memory of 1676	2660	cmd.exe	39
PID 2660 wrote to memory of 1676	2660	cmd.exe	39
PID 2108 wrote to memory of 2184	2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	40
PID 2108 wrote to memory of 2184	2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	40
PID 2108 wrote to memory of 2184	2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	40
PID 2108 wrote to memory of 2184	2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	40
PID 2108 wrote to memory of 1696	2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	41
PID 2108 wrote to memory of 1696	2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	41
PID 2108 wrote to memory of 1696	2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	41
PID 2108 wrote to memory of 1696	2108	HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe	41
PID 2892 wrote to memory of 2760	2892	svchost.exe	42
PID 2892 wrote to memory of 2760	2892	svchost.exe	42
PID 2892 wrote to memory of 2760	2892	svchost.exe	42
PID 2892 wrote to memory of 2760	2892	svchost.exe	42
PID 2184 wrote to memory of 1872	2184	IK_Multimedia_Keygen.exe	43
PID 2184 wrote to memory of 1872	2184	IK_Multimedia_Keygen.exe	43
PID 2184 wrote to memory of 1872	2184	IK_Multimedia_Keygen.exe	43
PID 2184 wrote to memory of 1872	2184	IK_Multimedia_Keygen.exe	43
PID 1696 wrote to memory of 2400	1696	S.exe	44
PID 1696 wrote to memory of 2400	1696	S.exe	44
PID 1696 wrote to memory of 2400	1696	S.exe	44
PID 1696 wrote to memory of 2400	1696	S.exe	44
PID 1872 wrote to memory of 592	1872	._cache_IK_Multimedia_Keygen.exe	45
PID 1872 wrote to memory of 592	1872	._cache_IK_Multimedia_Keygen.exe	45
PID 1872 wrote to memory of 592	1872	._cache_IK_Multimedia_Keygen.exe	45
PID 1872 wrote to memory of 592	1872	._cache_IK_Multimedia_Keygen.exe	45
PID 2400 wrote to memory of 2512	2400	._cache_S.exe	46
PID 2400 wrote to memory of 2512	2400	._cache_S.exe	46
PID 2400 wrote to memory of 2512	2400	._cache_S.exe	46
PID 2400 wrote to memory of 2512	2400	._cache_S.exe	46
PID 2400 wrote to memory of 2380	2400	._cache_S.exe	47
PID 2400 wrote to memory of 2380	2400	._cache_S.exe	47
PID 2400 wrote to memory of 2380	2400	._cache_S.exe	47
PID 2400 wrote to memory of 2380	2400	._cache_S.exe	47
PID 2400 wrote to memory of 2380	2400	._cache_S.exe	47
PID 2400 wrote to memory of 2380	2400	._cache_S.exe	47

C:\Users\Admin\AppData\Local\Temp\63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
"C:\Users\Admin\AppData\Local\Temp\63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1676
- C:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
  C:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\Temp\IK_Multimedia_Keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\IK_Multimedia_Keygen.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\._cache_IK_Multimedia_Keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_IK_Multimedia_Keygen.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\R.exe
        
        C:\Users\Admin\AppData\Local\Temp\\R.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:592
    - - C:\Users\Admin\AppData\Local\Temp\N.exe
        
        C:\Users\Admin\AppData\Local\Temp\\N.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\HD_._cache_IK_Multimedia_Keygen.exe
        
        C:\Users\Admin\AppData\Local\Temp\HD_._cache_IK_Multimedia_Keygen.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:108
      - C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2668
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\R.exe
        
        C:\Users\Admin\AppData\Local\Temp\\R.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
      - C:\Users\Admin\AppData\Local\Temp\N.exe
        
        C:\Users\Admin\AppData\Local\Temp\\N.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe
        
        C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2192
- - C:\Users\Admin\AppData\Local\Temp\Temp\S.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\S.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\._cache_S.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_S.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\R.exe
        
        C:\Users\Admin\AppData\Local\Temp\\R.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\N.exe
        
        C:\Users\Admin\AppData\Local\Temp\\N.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\HD_._cache_S.exe
        
        C:\Users\Admin\AppData\Local\Temp\HD_._cache_S.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\HD__CA~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259482203.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2760

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2244
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:704

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1648
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:800

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:876

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2804
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2716

C:\Windows\SysWOW64\sainbox.exe
C:\Windows\SysWOW64\sainbox.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:612
- C:\Windows\SysWOW64\sainbox.exe
  C:\Windows\SysWOW64\sainbox.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_S.exe

Filesize
3.8MB

MD5
cf523a51798ea37faf7c3e08e9bcc3ba

SHA1
89ad48c34eb3567c164c76b9b77166c4646837fd

SHA256
96bb7d7cfb7d64b6b057ed724c60bc26b95a74d10793c5aa3a93bd016463e7ca

SHA512
e32858df3c3fe8dde1a371235d3d42112f65bd2ce42b83b367c3e01e690fcd2d2866aad5e922244b2687601fb0a71cb49bce9c9dbe2cafbc26f85fe5289860ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
3.2MB

MD5
9a3c61df86c424daee504806bb14b49d

SHA1
831cae7baccb88bcc041a43f8a2539b029cc7604

SHA256
d38bccf5f566c87affa25ac6db124e9f26735b42a7ef531b4555a1ed5d9e5688

SHA512
af87fa1246005a515f1405a508db87b59e5c50ccc03a4baf22cbb38c3c1e735c12d5d6f45a356e3025406426da4f3342aeeef5596813d78993e9c213df900627

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_._cache_IK_Multimedia_Keygen.exe

Filesize
547KB

MD5
13e77ef36e4a1d4ef4195c0f6f5101af

SHA1
5e19192dc762b496b68d85ed63a53b0bc10bdf96

SHA256
ba8c443e35e4d3d77b617959636d8f5e268788e8d954db4b83713e6f90709559

SHA512
8967cf035d79f1d319c5cf39dad66650e888221f786f312c96e2afd9247da7c6894d3d21682638cdc9dda40d5646244f54f787f63b2abe7aa94d5c0008c0c2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe

Filesize
4.4MB

MD5
e714b9df7d623016aa19ea43ad488a02

SHA1
6bceb16c3125f82054d55c37b969f12ad31e8170

SHA256
67625ece2bda081b8b918a24148c4344e168801351e7fde79487565d0342cb84

SHA512
bff4a3e129f9749bd9eaecfc17ce4ed2e122baf405aff1960897e33f2b00b50cfa221dd214c923c598f9d7926fa380b9ef7b9644e4ae3ddca74229d42bbadb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.6MB

MD5
dba980e5e11128b1a9e64c5bdff31ed3

SHA1
199a1b39f54c24fa349c50de5856dfd7986e3a83

SHA256
e77c2c396c3e462093dbf27d800cc53efdff8d90142b39039cb868162f5a2326

SHA512
7ae39d12c24331a65f570eaa4db2ce005e214e99507fc96ae5b26c1d6622c2aa0c4ea59472fec6f2fba3ec1f949448bd29d94f4db5e725a5a83c4a726d312777

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
676KB

MD5
e7347f21d9f7ace4da3f8ec96a448b97

SHA1
26a8742221afa65a08caf93ee71723fbde7aa661

SHA256
a0948635cc81f38e5ed40a378a39c889f3e787118f9e85a51dfeef4b8bb7e3e7

SHA512
6fe7256a9e13a34434c5ffbff9720526afa17c4ea664189622caf03b721a33b1bccbeb46ca4c00d22b82e572763ff979eac4da7f72a654a7282f351c1dc4a6b7

Download Submit
C:\Windows\SysWOW64\sainbox.exe

Filesize
1.3MB

MD5
7fecb2665333ecf24969b5e0219122dd

SHA1
a99a230924690bc838230cdf466a9db6ce529568

SHA256
ebb1fbe882a201461c9a3556813e1d62c85efc5e064c708049aa14fb2310f5dc

SHA512
06e2375c52ac9079a0e95da0ca27ee0c70de197ce42af86fbe7cfbba28b9d4e503dbc07bf26640695a893ae7747707b97fec766bd2911ecf988a49702c29f135

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\IK_Multimedia_Keygen.exe

Filesize
3.9MB

MD5
d88f282137d036dcb87ef1dd77fdd1e9

SHA1
d40dc44af20a1be2fc580c9f2ab7b0d0fd5208e5

SHA256
f4792d51698b4cca7032ef76aafe0c26dd2a1e8f50203de9b227ededc9575476

SHA512
969f256dcbcd8d7ffa1a778d3ca279490cae19072cd158e573bd5d38708f2e63b6760a2a07c4c49d19c2b864a28865985122b170499be87e42b6eb3014301499

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\S.exe

Filesize
4.6MB

MD5
8963e3c3c5117e505c33a83eaede97c9

SHA1
48e8c67ccbb3c29350fd3638980a07f4080232c1

SHA256
5b10c85d67bce30052060eca7dc492d14bd0e3cdcafc1feb49222698a61515b1

SHA512
9c67b55428118117adf1e6e7694a12d871f0ddffb211c3992354f52a707af9c4e85bb55fa92b2a89a38bebec8db846b8677b7d6842d308b9ff586dbb02e53f15

Download Submit
\Windows\SysWOW64\259482203.txt

Filesize
899KB

MD5
195348bea799618dc843bbea6663eb85

SHA1
76e58b44e633bdb19afdae98963f139ddd336a06

SHA256
5e59a187646759f626a4188445d70f56972c7a6c5ef468628a7ab1a3d4507b5f

SHA512
06b8f754bc93453a4c0dc4fc725f3df91a448ca50d1143f809a3a4aa812ed8baf2644fdcfedfb30f40d21476f480561aac5c79db86c05a04f1bf3d552b335e52

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/876-205-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1696-99-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/2108-51-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2108-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2184-152-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2192-240-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2192-277-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2668-275-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2668-215-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2672-53-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2672-39-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2672-58-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2772-269-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2772-50-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2772-270-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2772-49-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2944-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2944-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2944-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3068-191-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download