Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 22:07
Static task
static1
Behavioral task
behavioral1
Sample
9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
General
-
Target
9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
-
Size
786KB
-
MD5
054267b256c2cfdffe332832188dac70
-
SHA1
22cbf8f49db96c04246071d9e811ee680469e19c
-
SHA256
9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8
-
SHA512
2ad6d3526efcfb14407b848906ffe28b8a8a569c72795c97adf3cc1a2e6d9774f6af989cbd9392064d149539482c51ce592afe1986b9a811cca1ae72bc0bc11b
-
SSDEEP
6144:EBQgqTudbAZeNa5JXZ//0RQlTFQ8Ff2BzemM1EZ0wGHvItfxX7puI:EBQgqiSJJERQl5vd2BzFM1EKwGPI8I
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\clk.ini 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\GoCE.dll 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe File created C:\Windows\run.bat 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49} 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: SeIncBasePriorityPrivilege 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe Token: 33 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1800 wrote to memory of 1584 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 29 PID 1800 wrote to memory of 1584 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 29 PID 1800 wrote to memory of 1584 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 29 PID 1800 wrote to memory of 1584 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 29 PID 1584 wrote to memory of 1544 1584 cmd.exe 31 PID 1584 wrote to memory of 1544 1584 cmd.exe 31 PID 1584 wrote to memory of 1544 1584 cmd.exe 31 PID 1584 wrote to memory of 1544 1584 cmd.exe 31 PID 1584 wrote to memory of 1724 1584 cmd.exe 32 PID 1584 wrote to memory of 1724 1584 cmd.exe 32 PID 1584 wrote to memory of 1724 1584 cmd.exe 32 PID 1584 wrote to memory of 1724 1584 cmd.exe 32 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18 PID 1800 wrote to memory of 1256 1800 9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe 18
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe"C:\Users\Admin\AppData\Local\Temp\9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\run.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B4⤵PID:1544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B4⤵PID:1724
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5ad0d80bf6b4292dbada25f7f8fd6556c
SHA140133d1dea9905bf406fb88efcb57cd693e6cf43
SHA256081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1
SHA51276eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb