Overview
overview
8Static
static
WMV_[WWW.D...K5.exe
windows7-x64
8WMV_[WWW.D...K5.exe
windows10-2004-x64
8IE2EM.dll
windows7-x64
1IE2EM.dll
windows10-2004-x64
1config/antiLeech.dll
windows7-x64
1config/antiLeech.dll
windows10-2004-x64
1config/cou...ag.dll
windows7-x64
1config/cou...ag.dll
windows10-2004-x64
1eMule.js
windows7-x64
1eMule.js
windows10-2004-x64
1eMule32.exe
windows7-x64
1eMule32.exe
windows10-2004-x64
1eMuleObject.exe
windows7-x64
1eMuleObject.exe
windows10-2004-x64
1eMule_Chicane.js
windows7-x64
1eMule_Chicane.js
windows10-2004-x64
1ed2k.html
windows7-x64
1ed2k.html
windows10-2004-x64
1lang/zh_CN.dll
windows7-x64
1lang/zh_CN.dll
windows10-2004-x64
1lang/zh_TW.dll
windows7-x64
1lang/zh_TW.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 04:29
Static task
static1
Behavioral task
behavioral1
Sample
WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
IE2EM.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
IE2EM.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
config/antiLeech.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
config/antiLeech.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
config/countryflag.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
config/countryflag.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
eMule.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
eMule.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
eMule32.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
eMule32.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
eMuleObject.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
eMuleObject.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
eMule_Chicane.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
eMule_Chicane.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ed2k.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
ed2k.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
lang/zh_CN.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral20
Sample
lang/zh_CN.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
lang/zh_TW.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
lang/zh_TW.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe
-
Size
3.0MB
-
MD5
4a57ea222bc09445bfb07a488337634e
-
SHA1
59ade3040cd598ae89fe4d8359998b9b396a35f8
-
SHA256
e4b99d3b492408df0de5bd41c254315088b9c95df7dd33e10aaa394227590e62
-
SHA512
f501948c42009ed208485e017c4bf1771e54141baa87a77855edc4855b480331cb2b13ce41ee19308193687fab4e142a46110da2ab38ef9528b2cfd85dceae36
-
SSDEEP
49152:B0klMIiGUWSo2h496dw4zTOMCUultJETJetZd0vYc6+zJ9GyIxdb0:XSNWSo0496dwGTr87ZDd0vYOPGb0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1348 iedvv.exe 4484 acpi64.exe -
Sets file execution options in registry 2 TTPs 45 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe iedvv.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe iedvv.exe -
Sets service image path in registry 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acpi64Drv\ImagePath = "\\??\\C:\\Windows\\system32\\acpi64.sys" iedvv.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acpi64\ImagePath = "C:\\Windows\\system32\\acpi64.exe" iedvv.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acpi64\ImagePath = "C:\\Windows\\system32\\acpi64.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acpi64\ImagePath = "C:\\Windows\\system32\\acpi64.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acpi64Drv\ImagePath = "\\??\\C:\\Windows\\system32\\acpi64.sys" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe -
Loads dropped DLL 3 IoCs
pid Process 4484 acpi64.exe 556 svchost.exe 1780 svchost.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\F: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\acpi64.exe iedvv.exe File created C:\Windows\SysWOW64\acpi64.dll iedvv.exe File opened for modification C:\Windows\SysWOW64\acpi64.dll iedvv.exe File created C:\Windows\SysWOW64\acpi64.sys acpi64.exe File opened for modification C:\Windows\SysWOW64\acpi64.sys acpi64.exe File created C:\Windows\SysWOW64\acpi64.ocx svchost.exe File opened for modification C:\Windows\SysWOW64\acpi64.ocx svchost.exe File created C:\Windows\SysWOW64\acpi64.exe iedvv.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SetupTemp012\iedvv.exe WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe File created C:\Program Files\SetupTemp012\temp012.wmv WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 1348 iedvv.exe 4484 acpi64.exe 4484 acpi64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 3404 unregmp2.exe Token: SeCreatePagefilePrivilege 3404 unregmp2.exe Token: SeDebugPrivilege 4484 acpi64.exe Token: SeDebugPrivilege 556 svchost.exe Token: SeDebugPrivilege 556 svchost.exe Token: SeDebugPrivilege 556 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2592 wrote to memory of 1348 2592 WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe 79 PID 2592 wrote to memory of 1348 2592 WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe 79 PID 2592 wrote to memory of 1348 2592 WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe 79 PID 2592 wrote to memory of 2248 2592 WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe 80 PID 2592 wrote to memory of 2248 2592 WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe 80 PID 2592 wrote to memory of 2248 2592 WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe 80 PID 2248 wrote to memory of 3040 2248 wmplayer.exe 81 PID 2248 wrote to memory of 3040 2248 wmplayer.exe 81 PID 2248 wrote to memory of 3040 2248 wmplayer.exe 81 PID 2248 wrote to memory of 4300 2248 wmplayer.exe 82 PID 2248 wrote to memory of 4300 2248 wmplayer.exe 82 PID 2248 wrote to memory of 4300 2248 wmplayer.exe 82 PID 4300 wrote to memory of 3404 4300 unregmp2.exe 83 PID 4300 wrote to memory of 3404 4300 unregmp2.exe 83 PID 4484 wrote to memory of 556 4484 acpi64.exe 87 PID 4484 wrote to memory of 556 4484 acpi64.exe 87 PID 4484 wrote to memory of 556 4484 acpi64.exe 87 PID 4484 wrote to memory of 556 4484 acpi64.exe 87 PID 4484 wrote to memory of 556 4484 acpi64.exe 87 PID 556 wrote to memory of 1780 556 svchost.exe 88 PID 556 wrote to memory of 1780 556 svchost.exe 88 PID 556 wrote to memory of 1780 556 svchost.exe 88 PID 556 wrote to memory of 1780 556 svchost.exe 88 PID 556 wrote to memory of 1780 556 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe"C:\Users\Admin\AppData\Local\Temp\WMV_[WWW.DSESE666.NET]_HONGKONG_3296492365FH78FG6GK5.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files\SetupTemp012\iedvv.exe"C:\Program Files\SetupTemp012\iedvv.exe" 302⤵
- Executes dropped EXE
- Sets file execution options in registry
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\SetupTemp012\temp012.wmv"2⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\SetupTemp012\temp012.wmv"3⤵PID:3040
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
-
-
C:\Windows\SysWOW64\acpi64.exeC:\Windows\SysWOW64\acpi64.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Sets service image path in registry
- Loads dropped DLL
PID:1780
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD58a6ca67120d329a09c416f51ce7ef60d
SHA1f442b33d68134a852044126ffb51d3fae4ad4984
SHA256dcf7fe140561a156d1cbba871b5e96d15c83c5a703555cab51c343496bc71f26
SHA51228602ef899dd2cf165537b25a10700da22b786d25f5edda66a0471119636d004439f88c59752c701e82d67dc647ec765a1c13178fce64ddafaa2ac1cb3f62e47
-
Filesize
372KB
MD58a6ca67120d329a09c416f51ce7ef60d
SHA1f442b33d68134a852044126ffb51d3fae4ad4984
SHA256dcf7fe140561a156d1cbba871b5e96d15c83c5a703555cab51c343496bc71f26
SHA51228602ef899dd2cf165537b25a10700da22b786d25f5edda66a0471119636d004439f88c59752c701e82d67dc647ec765a1c13178fce64ddafaa2ac1cb3f62e47
-
Filesize
1KB
MD52ab0a9281c1d605d6cd8226dee8a5d72
SHA1a0caa1d603b2f96095924e0f8bf4bd96c8c957a0
SHA256a233f323a73bce7e8b5306a5d2712a7626fdd61862ebae255e8b3ef519619a3c
SHA512300f8391db95640282187f98e3909cbe9608b747b7b72a6179204761a42b8dc62e13e7761847ccd804c0edd6b97695e86d4496f2fa67378e572fc5dbcc8b39d4
-
Filesize
232KB
MD5be5401228507fd226ab13c564e65f888
SHA1af0f03698138867073014fdbc0ae6f7248b98915
SHA25623258dafc47e9f46a7c8d2d183fea07567e4196bddcb8f70b5bdbed3dd77b767
SHA51219503a068c202157397fa76eaead5b23ef6179c8da58cf2afdc0f069742e086b65ec1004c2c0980424bf44c73d5ff5569013285f6f1a8d20b6ea234ace044744
-
Filesize
232KB
MD5be5401228507fd226ab13c564e65f888
SHA1af0f03698138867073014fdbc0ae6f7248b98915
SHA25623258dafc47e9f46a7c8d2d183fea07567e4196bddcb8f70b5bdbed3dd77b767
SHA51219503a068c202157397fa76eaead5b23ef6179c8da58cf2afdc0f069742e086b65ec1004c2c0980424bf44c73d5ff5569013285f6f1a8d20b6ea234ace044744
-
Filesize
232KB
MD5be5401228507fd226ab13c564e65f888
SHA1af0f03698138867073014fdbc0ae6f7248b98915
SHA25623258dafc47e9f46a7c8d2d183fea07567e4196bddcb8f70b5bdbed3dd77b767
SHA51219503a068c202157397fa76eaead5b23ef6179c8da58cf2afdc0f069742e086b65ec1004c2c0980424bf44c73d5ff5569013285f6f1a8d20b6ea234ace044744
-
Filesize
372KB
MD58a6ca67120d329a09c416f51ce7ef60d
SHA1f442b33d68134a852044126ffb51d3fae4ad4984
SHA256dcf7fe140561a156d1cbba871b5e96d15c83c5a703555cab51c343496bc71f26
SHA51228602ef899dd2cf165537b25a10700da22b786d25f5edda66a0471119636d004439f88c59752c701e82d67dc647ec765a1c13178fce64ddafaa2ac1cb3f62e47
-
Filesize
372KB
MD58a6ca67120d329a09c416f51ce7ef60d
SHA1f442b33d68134a852044126ffb51d3fae4ad4984
SHA256dcf7fe140561a156d1cbba871b5e96d15c83c5a703555cab51c343496bc71f26
SHA51228602ef899dd2cf165537b25a10700da22b786d25f5edda66a0471119636d004439f88c59752c701e82d67dc647ec765a1c13178fce64ddafaa2ac1cb3f62e47
-
Filesize
232KB
MD5be5401228507fd226ab13c564e65f888
SHA1af0f03698138867073014fdbc0ae6f7248b98915
SHA25623258dafc47e9f46a7c8d2d183fea07567e4196bddcb8f70b5bdbed3dd77b767
SHA51219503a068c202157397fa76eaead5b23ef6179c8da58cf2afdc0f069742e086b65ec1004c2c0980424bf44c73d5ff5569013285f6f1a8d20b6ea234ace044744
-
Filesize
232KB
MD5be5401228507fd226ab13c564e65f888
SHA1af0f03698138867073014fdbc0ae6f7248b98915
SHA25623258dafc47e9f46a7c8d2d183fea07567e4196bddcb8f70b5bdbed3dd77b767
SHA51219503a068c202157397fa76eaead5b23ef6179c8da58cf2afdc0f069742e086b65ec1004c2c0980424bf44c73d5ff5569013285f6f1a8d20b6ea234ace044744