Analysis
-
max time kernel
128s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-05-2021 12:54
Static task
static1
Behavioral task
behavioral1
Sample
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe
Resource
win10v20210408
General
-
Target
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe
-
Size
3.5MB
-
MD5
be29b40b903c1c61d2e920220c136530
-
SHA1
089f89a42fd9dffbe7bb13a9206e22e1f0093efe
-
SHA256
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7
-
SHA512
ebe524050f4b622d903cae19b866a508410ecd659eea3c254ed56dca03c3e96e5bdfb901be53ce40353d2f8729b492b65cfa27b680878cf4c48b1c0afe548fe4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrpid process 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 608 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr -
Loads dropped DLL 2 IoCs
Processes:
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrpid process 1240 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr -
Drops file in System32 directory 2 IoCs
Processes:
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exedescription ioc process File created C:\Windows\SysWOW64\USR_Shohdi_Photo_USR.rsu 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification C:\Windows\SysWOW64\USR_Shohdi_Photo_USR.rsu 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe -
Drops file in Program Files directory 64 IoCs
Processes:
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exedescription ioc process File created \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\VideoLAN\VLC\vlc.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\7-Zip\7zG.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\VideoLAN\VLC\uninstall.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Google\Update\Install\{A290E22C-E339-4EA1-B140-FE44A71CE551}\89.0.4389.114_chrome_installer.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Mozilla Firefox\firefox.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSPUB.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\chrome.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Java\jre7\bin\javaws.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Java\jre7\bin\javaws.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Mozilla Firefox\plugin-container.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe File created \??\c:\Program Files (x86)\Google\Temp\GUMFBCB.tmp\GoogleUpdateSetup.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe -
Drops file in Windows directory 1 IoCs
Processes:
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exedescription ioc process File created C:\Windows\USR_Shohdi_Photo_USR.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrdescription ioc process Key created \REGISTRY\USER\ 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr -
Modifies registry class 1 IoCs
Processes:
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\ 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrdescription pid process target process PID 1240 wrote to memory of 1764 1240 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1240 wrote to memory of 1764 1240 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1240 wrote to memory of 1764 1240 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1240 wrote to memory of 1764 1240 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr PID 1764 wrote to memory of 608 1764 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr 56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr
Processes
-
C:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe"C:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrC:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr"C:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usr" --channel=1764.0.2077839446 --type=renderer3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrMD5
cb3318e16dd539a6be9696f53b3d3c56
SHA1d9f98701c81f7653af2f3e1afff61303551fa7c7
SHA25635a8339e4c5555295605933a18bd55d4bf34219eb4647d3e960a823a93eaef03
SHA51266e1d10bf9d6589bcc3d2ebdc95e7f817ea212770c4d49f2bab11ecaabe6d7701d26aacc107aa8e677bd62b762d90b05fa989d4209af928a588447982f770334
-
C:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrMD5
cb3318e16dd539a6be9696f53b3d3c56
SHA1d9f98701c81f7653af2f3e1afff61303551fa7c7
SHA25635a8339e4c5555295605933a18bd55d4bf34219eb4647d3e960a823a93eaef03
SHA51266e1d10bf9d6589bcc3d2ebdc95e7f817ea212770c4d49f2bab11ecaabe6d7701d26aacc107aa8e677bd62b762d90b05fa989d4209af928a588447982f770334
-
C:\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrMD5
cb3318e16dd539a6be9696f53b3d3c56
SHA1d9f98701c81f7653af2f3e1afff61303551fa7c7
SHA25635a8339e4c5555295605933a18bd55d4bf34219eb4647d3e960a823a93eaef03
SHA51266e1d10bf9d6589bcc3d2ebdc95e7f817ea212770c4d49f2bab11ecaabe6d7701d26aacc107aa8e677bd62b762d90b05fa989d4209af928a588447982f770334
-
\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrMD5
cb3318e16dd539a6be9696f53b3d3c56
SHA1d9f98701c81f7653af2f3e1afff61303551fa7c7
SHA25635a8339e4c5555295605933a18bd55d4bf34219eb4647d3e960a823a93eaef03
SHA51266e1d10bf9d6589bcc3d2ebdc95e7f817ea212770c4d49f2bab11ecaabe6d7701d26aacc107aa8e677bd62b762d90b05fa989d4209af928a588447982f770334
-
\Users\Admin\AppData\Local\Temp\56b1b3be9bc6304ae46a5d339f5070517b6d20e4f47e99ae1a0ffffa9b6e4ac7.usrMD5
cb3318e16dd539a6be9696f53b3d3c56
SHA1d9f98701c81f7653af2f3e1afff61303551fa7c7
SHA25635a8339e4c5555295605933a18bd55d4bf34219eb4647d3e960a823a93eaef03
SHA51266e1d10bf9d6589bcc3d2ebdc95e7f817ea212770c4d49f2bab11ecaabe6d7701d26aacc107aa8e677bd62b762d90b05fa989d4209af928a588447982f770334
-
memory/608-68-0x0000000000000000-mapping.dmp
-
memory/608-75-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1240-64-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1240-63-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/1764-60-0x0000000000000000-mapping.dmp
-
memory/1764-62-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB