e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

Analysis

max time kernel
300s
max time network
300s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
Size

413KB
MD5

3023d7526b479ea3df315a5b1779a43d
SHA1

b5ae71b96a28b9353a4f33c5370ac18750937c17
SHA256

301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f
SHA512

67fe1cf7538e8ef76b6acbba99326af0de58464bf5710ae6fa7b85d73da9a84c58122de6b87c7d9560f0d366de711a95d03be231c1018eacb7489fd32aeb0834
SSDEEP

6144:OpZsqlbu151gFomsCfv6hdgnkG6FSXrIiucY6/4sTj3GUcqcPVpNghCQ:Ussu15qlsmShRG6mIiucN42qxqcC

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\ProgramData\\wdbyd\\lajurgl.exe,explorer.exe"	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1912 cmd.exe

pid	process
1912	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hl07 = "C:\\ProgramData\\mqxrl\\wmeipf.exe"	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe

Drops file in System32 directory 15 IoCs

Processes:

WMIADAP.EXEwmiprvse.exe

description	ioc	process
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File opened for modification	C:\Windows\system32\wbem\Logs\wmiprov.log	wmiprvse.exe
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE

Drops file in Windows directory 4 IoCs

Processes:

svchost.exeWMIADAP.EXE

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.execmd.exeattrib.exe301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exesvchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

svchost.exesvchost.exewmiprvse.exe

pid	process
2620	svchost.exe
2824	svchost.exe
2824	svchost.exe
2620	svchost.exe
488	wmiprvse.exe
488	wmiprvse.exe
2620	svchost.exe
488	wmiprvse.exe
488	wmiprvse.exe
2620	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exesvchost.exe

pid	process
1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
2824	svchost.exe
2824	svchost.exe
1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

svchost.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2620	svchost.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	1284	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid process

2824 svchost.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

svchost.exe

pid process

2824 svchost.exe
Suspicious use of UnmapMainImage 4 IoCs

Processes:

smss.exesvchost.exeOSPPSVC.EXEwmiprvse.exe

pid process

256 smss.exe
760 svchost.exe
616 OSPPSVC.EXE
488 wmiprvse.exe

pid	process
2824	svchost.exe

pid	process
2824	svchost.exe

pid	process
256	smss.exe
760	svchost.exe
616	OSPPSVC.EXE
488	wmiprvse.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exesvchost.exesvchost.execsrss.execmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 2824	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	svchost.exe
PID 1680 wrote to memory of 2824	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	svchost.exe
PID 1680 wrote to memory of 2824	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	svchost.exe
PID 1680 wrote to memory of 2824	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	svchost.exe
PID 2824 wrote to memory of 2620	2824	svchost.exe	svchost.exe
PID 2824 wrote to memory of 2620	2824	svchost.exe	svchost.exe
PID 2824 wrote to memory of 2620	2824	svchost.exe	svchost.exe
PID 2824 wrote to memory of 2620	2824	svchost.exe	svchost.exe
PID 2620 wrote to memory of 256	2620	svchost.exe	smss.exe
PID 2620 wrote to memory of 332	2620	svchost.exe	csrss.exe
PID 2620 wrote to memory of 380	2620	svchost.exe	wininit.exe
PID 2620 wrote to memory of 392	2620	svchost.exe	csrss.exe
PID 2620 wrote to memory of 428	2620	svchost.exe	winlogon.exe
PID 2620 wrote to memory of 476	2620	svchost.exe	services.exe
PID 2620 wrote to memory of 484	2620	svchost.exe	lsass.exe
PID 2620 wrote to memory of 492	2620	svchost.exe	lsm.exe
PID 2620 wrote to memory of 600	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 680	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 760	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 824	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 860	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 972	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 276	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 304	2620	svchost.exe	spoolsv.exe
PID 2620 wrote to memory of 1056	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 1116	2620	svchost.exe	taskhost.exe
PID 2620 wrote to memory of 1188	2620	svchost.exe	Dwm.exe
PID 2620 wrote to memory of 1284	2620	svchost.exe	Explorer.EXE
PID 2620 wrote to memory of 616	2620	svchost.exe	OSPPSVC.EXE
PID 2620 wrote to memory of 488	2620	svchost.exe	wmiprvse.exe
PID 2620 wrote to memory of 916	2620	svchost.exe	DllHost.exe
PID 2620 wrote to memory of 1636	2620	svchost.exe	svchost.exe
PID 2620 wrote to memory of 2460	2620	svchost.exe	sppsvc.exe
PID 2620 wrote to memory of 2244	2620	svchost.exe	WMIADAP.EXE
PID 392 wrote to memory of 1528	392	csrss.exe	svchost.exe
PID 392 wrote to memory of 1528	392	csrss.exe	svchost.exe
PID 392 wrote to memory of 1528	392	csrss.exe	svchost.exe
PID 392 wrote to memory of 1528	392	csrss.exe	svchost.exe
PID 1680 wrote to memory of 1528	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	svchost.exe
PID 1680 wrote to memory of 1528	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	svchost.exe
PID 1680 wrote to memory of 1528	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	svchost.exe
PID 1680 wrote to memory of 1528	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	svchost.exe
PID 392 wrote to memory of 1680	392	csrss.exe	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
PID 392 wrote to memory of 1680	392	csrss.exe	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
PID 392 wrote to memory of 1912	392	csrss.exe	cmd.exe
PID 392 wrote to memory of 1912	392	csrss.exe	cmd.exe
PID 392 wrote to memory of 1912	392	csrss.exe	cmd.exe
PID 392 wrote to memory of 1912	392	csrss.exe	cmd.exe
PID 1680 wrote to memory of 1912	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	cmd.exe
PID 1680 wrote to memory of 1912	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	cmd.exe
PID 1680 wrote to memory of 1912	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	cmd.exe
PID 1680 wrote to memory of 1912	1680	301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe	cmd.exe
PID 392 wrote to memory of 548	392	csrss.exe	conhost.exe
PID 392 wrote to memory of 548	392	csrss.exe	conhost.exe
PID 392 wrote to memory of 548	392	csrss.exe	conhost.exe
PID 392 wrote to memory of 2144	392	csrss.exe	attrib.exe
PID 392 wrote to memory of 2144	392	csrss.exe	attrib.exe
PID 392 wrote to memory of 2144	392	csrss.exe	attrib.exe
PID 392 wrote to memory of 2144	392	csrss.exe	attrib.exe
PID 1912 wrote to memory of 2144	1912	cmd.exe	attrib.exe
PID 1912 wrote to memory of 2144	1912	cmd.exe	attrib.exe
PID 1912 wrote to memory of 2144	1912	cmd.exe	attrib.exe
PID 1912 wrote to memory of 2144	1912	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2144 attrib.exe

pid	process
2144	attrib.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
- Suspicious use of UnmapMainImage
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of UnmapMainImage
      PID:488
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:916
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    - Modifies security service
    - Suspicious use of UnmapMainImage
    PID:760
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:824
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1188
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:860
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2244
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:276
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:304
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1056
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    - Suspicious use of UnmapMainImage
    PID:616
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1636
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2460
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:484
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:492

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-5549447791969806152-589621947-43850469-894643345-98288748290807623-1014754937"
  2⤵
  PID:548

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284
- C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
  "C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\syswow64\svchost.exe
      C:\Windows\syswow64\svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HumC448v.bat" 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qhssqqa\hqrqg.ore

Filesize
420KB

MD5
5139e7598857e1976d00a1b8d04d6a83

SHA1
c5f7ea08f7ce5b7314a6423ec13eb97c20cc4744

SHA256
69b52a7ad394ba1c007761deb07f9c58eb5f65ca9b2a5002a1f946049237f733

SHA512
5591c9ef05049345cb52798879b61d6a457fb3244e02eb9e20becb3c940d0e2370f51a3956d29510afe6d3f785ecc7cff5ce12662740696d9a1cfaca783c7003

Download Submit
C:\ProgramData\wdbyd\lajurgl.exe

Filesize
413KB

MD5
3023d7526b479ea3df315a5b1779a43d

SHA1
b5ae71b96a28b9353a4f33c5370ac18750937c17

SHA256
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f

SHA512
67fe1cf7538e8ef76b6acbba99326af0de58464bf5710ae6fa7b85d73da9a84c58122de6b87c7d9560f0d366de711a95d03be231c1018eacb7489fd32aeb0834

Download Submit
C:\ProgramData\xshrelh\wdmksjo.hoo

Filesize
16KB

MD5
0a3dd82099678418e7c1fdbf6cae09e7

SHA1
c7338329513d886f463653ffe11fd30e968a7393

SHA256
363bf03b3e7419cb8ff4a602d90575be60c04471c2dcbcc5ae14529bd6a36115

SHA512
32acdd4b6aa9c8f025b004dc8cfb7af8e47f6604eec6e23b1975f6189b38397682fc505697f7adc82cf91bc3cbd65dbdc50d655b3293bef68f01841e0558ff03

Download Submit
C:\Users\Admin\AppData\Local\Temp\HumC448v.bat

Filesize
74B

MD5
f488b5df4ab36b2fa1c78c041f5a433c

SHA1
fe8b77ce17a48de7d7e6f7bfe7b8411701ebb12f

SHA256
ce0e7dceca9e877c8ad232acef340c246f6f553e841dbcff18a9b458cd0fae1c

SHA512
3df780bf8f3c2b547606f2dfc5552ab5140fdb089681f5945d2aec23d3eeb13d1546ea100881d6c830110c79c60f113788b1fbc7fd674a3578f9e2f76ea54ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rolrgpt.cjr

Filesize
153B

MD5
31467feb9269587391b5791213776dd8

SHA1
de9d1936f5b893984cfb7a33e57b17f38bdc8fce

SHA256
ee403c14e5861d0953cc8816a6b6830e119213b797fa09846f42ff1024939587

SHA512
5984021aefdfceeb5ec3aeff66dee773cfee6e856bd1d1985c58867fa0f94a8098cfda3ca3c62555c9ff8c23db5357219d2eac02460aec5e0b4acc8f147b5a19

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
0f3d76321f0a7986b42b25a3aa554f82

SHA1
7036bba62109cc25da5d6a84d22b6edb954987c0

SHA256
dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460

SHA512
bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
540138285295c68de32a419b7d9de687

SHA1
1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56

SHA256
33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb

SHA512
7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
831dbe568992299e589143ee8898e131

SHA1
737726173aab8b76fe1f98104d72bb91abd273bf

SHA256
4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405

SHA512
39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
cf82e7354e591c1408eb2cc0e29dd274

SHA1
7e91bd50c3e6b64b81e2b5c1ce723f52e34748e9

SHA256
59b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d

SHA512
98bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
1f998386566e5f9b7f11cc79254d1820

SHA1
e1da5fe1f305099b94de565d06bc6f36c6794481

SHA256
1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

SHA512
a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
5026297c7c445e7f6f705906a6f57c02

SHA1
4ec3b66d44b0d44ec139bd1475afd100748f9e91

SHA256
506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc

SHA512
5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
634KB

MD5
1c678ee06bd02b5d9e4d51c3a4ec2d2b

SHA1
90aa7fdfaaa37fb4f2edfc8efc3994871087dedb

SHA256
2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3

SHA512
ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
727KB

MD5
3251572461218e279aa1ffd235c6b74d

SHA1
bd6db180b78c22fab20f55dbf0f84a39a0fc19a2

SHA256
baeac7bef7ece88ea3cb784effd1a34232c13d998ce272ac8bc7395e6b5ec60e

SHA512
700b36964455f960511f5bbeea804febaf0ebea17a6f092cd875f7f6593ffbe79f763bd2e0bee89bb8538e67ee34c49270626d3f78db71cb39c8022d0d4baa8c

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
727KB

MD5
9d1cf2246f28d1cc1c4bc1203c9ee384

SHA1
bb72e32c442ba6237d9d084d54f327b0e6c9597d

SHA256
ace958537d27398a815102c1e9ee9d07b4da6282cd969a733c239b20f7bf94d5

SHA512
856fdff03fd00cb284dfd87166e9666d92eabe138d5a3fe5b1a0817d72acdefadf03e6a329224a5f8ef59369128a8895a91458c4225ec7da2df6cb5f61466b15

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
4623482c106cf6cc1bac198f31787b65

SHA1
5abb0decf7b42ef5daf7db012a742311932f6dad

SHA256
eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349

SHA512
afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
394KB

MD5
24da30cbb5f0fe4939862880e72cc32c

SHA1
9132497736f52dae62b79be1677c05e32a7ba2ab

SHA256
a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f

SHA512
332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2

Download Submit
memory/256-48-0x0000000000110000-0x0000000000160000-memory.dmp

Filesize
320KB

Download
memory/256-46-0x0000000000110000-0x0000000000160000-memory.dmp

Filesize
320KB

Download
memory/256-49-0x0000000000110000-0x0000000000160000-memory.dmp

Filesize
320KB

Download
memory/332-143-0x0000000002520000-0x0000000002570000-memory.dmp

Filesize
320KB

Download
memory/332-52-0x0000000002520000-0x0000000002570000-memory.dmp

Filesize
320KB

Download
memory/380-55-0x0000000000390000-0x00000000003E0000-memory.dmp

Filesize
320KB

Download
memory/380-162-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/380-304-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/380-145-0x0000000000390000-0x00000000003E0000-memory.dmp

Filesize
320KB

Download
memory/392-294-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/392-60-0x00000000022E0000-0x0000000002330000-memory.dmp

Filesize
320KB

Download
memory/392-146-0x00000000022E0000-0x0000000002330000-memory.dmp

Filesize
320KB

Download
memory/428-61-0x0000000000BF0000-0x0000000000C40000-memory.dmp

Filesize
320KB

Download
memory/428-147-0x0000000000BF0000-0x0000000000C40000-memory.dmp

Filesize
320KB

Download
memory/476-157-0x00000000001D0000-0x0000000000220000-memory.dmp

Filesize
320KB

Download
memory/476-83-0x00000000001D0000-0x0000000000220000-memory.dmp

Filesize
320KB

Download
memory/484-69-0x00000000000D0000-0x0000000000120000-memory.dmp

Filesize
320KB

Download
memory/484-149-0x00000000000D0000-0x0000000000120000-memory.dmp

Filesize
320KB

Download
memory/484-301-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/492-99-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/492-158-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/680-161-0x0000000000230000-0x0000000000280000-memory.dmp

Filesize
320KB

Download
memory/760-159-0x0000000000DB0000-0x0000000000E00000-memory.dmp

Filesize
320KB

Download
memory/824-160-0x0000000000BB0000-0x0000000000C00000-memory.dmp

Filesize
320KB

Download
memory/1680-22-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1680-5-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/1680-0-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/1680-18-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1680-9-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1680-8-0x0000000002060000-0x00000000020B8000-memory.dmp

Filesize
352KB

Download
memory/1680-23-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1680-27-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1680-184-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/1680-3-0x0000000002060000-0x00000000020B8000-memory.dmp

Filesize
352KB

Download
memory/1680-6-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1680-17-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/1680-39-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1680-38-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1680-16-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1680-15-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1680-14-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/1680-21-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2620-44-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2620-154-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-151-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2620-42-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/2620-142-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2620-144-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-43-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/2620-148-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-150-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2620-152-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-153-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2620-156-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-292-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2620-293-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-155-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2620-296-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-295-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2620-298-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-297-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2620-300-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2620-299-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2824-34-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/2824-37-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/2824-36-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download