9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 22:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Size

786KB
MD5

054267b256c2cfdffe332832188dac70
SHA1

22cbf8f49db96c04246071d9e811ee680469e19c
SHA256

9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8
SHA512

2ad6d3526efcfb14407b848906ffe28b8a8a569c72795c97adf3cc1a2e6d9774f6af989cbd9392064d149539482c51ce592afe1986b9a811cca1ae72bc0bc11b
SSDEEP

6144:EBQgqTudbAZeNa5JXZ//0RQlTFQ8Ff2BzemM1EZ0wGHvItfxX7puI:EBQgqiSJJERQl5vd2BzFM1EKwGPI8I

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\clk.ini	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\neyq.dll	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
File created	C:\Windows\run.bat	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{2670000A-7350-4F3C-8081-5663EE0C6C49}	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: SeIncBasePriorityPrivilege	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
Token: 33	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1320	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	83
PID 2536 wrote to memory of 1320	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	83
PID 2536 wrote to memory of 1320	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	83
PID 1320 wrote to memory of 852	1320	cmd.exe	85
PID 1320 wrote to memory of 852	1320	cmd.exe	85
PID 1320 wrote to memory of 852	1320	cmd.exe	85
PID 1320 wrote to memory of 4996	1320	cmd.exe	86
PID 1320 wrote to memory of 4996	1320	cmd.exe	86
PID 1320 wrote to memory of 4996	1320	cmd.exe	86
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44
PID 2536 wrote to memory of 2484	2536	9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2484
- C:\Users\Admin\AppData\Local\Temp\9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe
  "C:\Users\Admin\AppData\Local\Temp\9119d27278482c821e678a23ee441d180370cdaa9e94ecfff3ee60fed868ffc8.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\run.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\neyq.dll

Filesize
337KB

MD5
1ac7aa2455c133122d4f632dab0848d2

SHA1
0642f1f41cb512ab6a76fa1d8f0b9713ebddec9c

SHA256
1dd7050daa3fcc30d44fda4b5ce3bc8a6e8e7636dceff3b53257d85d6721f352

SHA512
fa6606d3b501d87ba482b8c258df9739f8b9c96de64dd10d9afb0bccd567fe8880732db9c42d5c2d8e73263287c53c5c31c3217eb8ca30068bde8b0a5fca6a2e

Download Submit
C:\Windows\run.bat

Filesize
5KB

MD5
ad0d80bf6b4292dbada25f7f8fd6556c

SHA1
40133d1dea9905bf406fb88efcb57cd693e6cf43

SHA256
081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1

SHA512
76eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb

Download Submit