Analysis Overview
SHA256
1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5
Threat Level: Known bad
The file 1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Sets file execution options in registry
Checks BIOS information in registry
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Modifies Internet Explorer Protected Mode
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-04 03:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-04 03:19
Reported
2022-06-04 04:58
Platform
win7-20220414-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wiya9aggig17sw9.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wiya9aggig17sw9.exe\DisableExceptionChainValidation | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ajox.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1376 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5.exe | C:\Windows\SysWOW64\svchost.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5.exe
"C:\Users\Admin\AppData\Local\Temp\1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | mexchoicebd.com | udp |
| US | 8.8.8.8:53 | mexchoicebd.com | udp |
| US | 194.195.211.98:80 | mexchoicebd.com | tcp |
Files
memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
memory/1376-55-0x0000000074AC0000-0x000000007506B000-memory.dmp
memory/1376-56-0x00000000732B0000-0x0000000073DA8000-memory.dmp
memory/1376-57-0x0000000074190000-0x000000007492C000-memory.dmp
memory/1376-58-0x0000000074000000-0x0000000074188000-memory.dmp
memory/1376-59-0x00000000726D0000-0x00000000732AE000-memory.dmp
memory/1376-60-0x0000000072300000-0x0000000072535000-memory.dmp
memory/1376-61-0x0000000071FF0000-0x000000007218B000-memory.dmp
memory/1688-62-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1688-63-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1376-64-0x0000000074AC0000-0x000000007506B000-memory.dmp
memory/1376-65-0x00000000732B0000-0x0000000073DA8000-memory.dmp
memory/1376-66-0x0000000074190000-0x000000007492C000-memory.dmp
memory/1376-67-0x0000000074000000-0x0000000074188000-memory.dmp
memory/1376-68-0x00000000726D0000-0x00000000732AE000-memory.dmp
memory/1688-69-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1688-70-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1688-71-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1688-73-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1688-74-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1688-75-0x00000000004015C6-mapping.dmp
memory/1688-77-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1376-79-0x0000000074AC0000-0x000000007506B000-memory.dmp
memory/1376-80-0x00000000732B0000-0x0000000073DA8000-memory.dmp
memory/1376-81-0x0000000074190000-0x000000007492C000-memory.dmp
memory/1376-82-0x0000000074000000-0x0000000074188000-memory.dmp
memory/1376-83-0x00000000726D0000-0x00000000732AE000-memory.dmp
memory/1688-84-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1688-86-0x0000000000280000-0x00000000002E6000-memory.dmp
memory/1688-87-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1688-88-0x0000000000220000-0x000000000022D000-memory.dmp
memory/1688-89-0x0000000000280000-0x00000000002E6000-memory.dmp
memory/1688-91-0x00000000003C0000-0x00000000003CC000-memory.dmp
memory/900-92-0x0000000000000000-mapping.dmp
memory/900-94-0x0000000074E81000-0x0000000074E83000-memory.dmp
memory/1688-95-0x0000000000280000-0x00000000002E6000-memory.dmp
memory/900-96-0x00000000778F0000-0x0000000077A70000-memory.dmp
memory/900-97-0x0000000000360000-0x00000000003CA000-memory.dmp
memory/900-98-0x0000000000AF0000-0x0000000000AFC000-memory.dmp
memory/1688-99-0x0000000000280000-0x00000000002E6000-memory.dmp
memory/900-100-0x00000000778F0000-0x0000000077A70000-memory.dmp
memory/900-101-0x0000000000360000-0x00000000003CA000-memory.dmp
memory/1256-102-0x0000000002760000-0x0000000002766000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-04 03:19
Reported
2022-06-04 04:58
Platform
win10v2004-20220414-en
Max time kernel
99s
Max time network
132s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\k9eg13a77e.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\k9eg13a77e.exe\DisableExceptionChainValidation | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "pwvvzpa.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1668 set thread context of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5.exe | C:\Windows\SysWOW64\svchost.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5.exe
"C:\Users\Admin\AppData\Local\Temp\1182fef07adfc3c6602e89a541879f39a5b66d0bc0d9e8d91fa3c41c14004eb5.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1136
Network
| Country | Destination | Domain | Proto |
| US | 20.44.10.123:443 | tcp | |
| NL | 8.248.7.254:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
memory/1668-130-0x0000000074CA0000-0x0000000075251000-memory.dmp
memory/1668-131-0x0000000073AA0000-0x00000000745A0000-memory.dmp
memory/1668-132-0x0000000073210000-0x00000000739B8000-memory.dmp
memory/1668-133-0x0000000072C50000-0x0000000072E86000-memory.dmp
memory/1668-134-0x0000000074CA0000-0x0000000075251000-memory.dmp
memory/1668-135-0x0000000073AA0000-0x00000000745A0000-memory.dmp
memory/1668-136-0x0000000073210000-0x00000000739B8000-memory.dmp
memory/1668-137-0x0000000072C50000-0x0000000072E86000-memory.dmp
memory/4772-138-0x0000000000000000-mapping.dmp
memory/4772-139-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4772-141-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4772-142-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1668-143-0x0000000073AA0000-0x00000000745A0000-memory.dmp
memory/4772-144-0x0000000002E20000-0x0000000002E86000-memory.dmp
memory/1668-146-0x0000000074CA0000-0x0000000075251000-memory.dmp
memory/4772-147-0x0000000002E20000-0x0000000002E86000-memory.dmp
memory/1668-148-0x0000000073210000-0x00000000739B8000-memory.dmp
memory/4772-149-0x00000000033A0000-0x00000000033AC000-memory.dmp
memory/4772-150-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4772-151-0x00000000031E0000-0x00000000031ED000-memory.dmp
memory/4580-152-0x0000000000000000-mapping.dmp
memory/4580-153-0x0000000000BF0000-0x0000000001023000-memory.dmp
memory/4772-155-0x0000000002E20000-0x0000000002E86000-memory.dmp
memory/4580-154-0x0000000000930000-0x000000000099A000-memory.dmp
memory/4580-156-0x0000000000930000-0x000000000099A000-memory.dmp