Analysis
-
max time kernel
150s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe
Resource
win10v2004-20220812-en
General
-
Target
57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe
-
Size
239KB
-
MD5
1c470acf85ef922149f351df9d40c1fc
-
SHA1
66f619676f1b7bf535db17f56ca45343a5da86ef
-
SHA256
57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94
-
SHA512
8236d30214b0ae1a41cbf00f252aef9b144fa82abe50695b907e3924e31952c064d74004e42fd13c2c8d120a6be2ff9e53163889d5a8ddc69c6369ee54725ac0
-
SSDEEP
6144:iKK/LAiOHJL1lf/AR0XTH8g/jGJGpy0/FKk2Jfd4dV:iKK/LAHJL1lf/XXTHD/jGJGw07P
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 4300 BG3ry23 1432 BG3ry23 4976 ynumunxxaxaghuns.exe 3044 ynumunxxaxaghuns.exe 3164 ynumunxxaxaghuns.exe 3160 ynumunxxaxaghuns.exe -
resource yara_rule behavioral2/memory/1432-139-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1432-136-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1432-141-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1432-149-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3044-158-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3044-163-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3160-172-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation BG3ry23 Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ynumunxxaxaghuns.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4300 set thread context of 1432 4300 BG3ry23 82 PID 4976 set thread context of 3044 4976 ynumunxxaxaghuns.exe 99 PID 3164 set thread context of 3160 3164 ynumunxxaxaghuns.exe 118 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
pid pid_target Process procid_target 4232 4720 WerFault.exe 85 3652 220 WerFault.exe 92 1484 1656 WerFault.exe 100 3764 3552 WerFault.exe 106 1004 4300 WerFault.exe 119 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988247" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1077017580" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1014986948" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1014986948" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988247" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1077017580" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5BF0F2F3-43CA-11ED-89AC-D2D0017C8629} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988247" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988247" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371642169" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeSecurityPrivilege 1432 BG3ry23 Token: SeDebugPrivilege 1432 BG3ry23 Token: SeSecurityPrivilege 3044 ynumunxxaxaghuns.exe Token: SeDebugPrivilege 3044 ynumunxxaxaghuns.exe Token: SeSecurityPrivilege 3160 ynumunxxaxaghuns.exe Token: SeDebugPrivilege 3160 ynumunxxaxaghuns.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE 4364 IEXPLORE.EXE 4364 IEXPLORE.EXE 4364 IEXPLORE.EXE 4364 IEXPLORE.EXE 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE 3612 IEXPLORE.EXE 3612 IEXPLORE.EXE 3612 IEXPLORE.EXE 3612 IEXPLORE.EXE 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE 2152 IEXPLORE.EXE 2152 IEXPLORE.EXE 2152 IEXPLORE.EXE 2152 IEXPLORE.EXE 1508 IEXPLORE.EXE 1508 IEXPLORE.EXE 3612 IEXPLORE.EXE 3612 IEXPLORE.EXE 3612 IEXPLORE.EXE 3612 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 532 wrote to memory of 4300 532 57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe 81 PID 532 wrote to memory of 4300 532 57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe 81 PID 532 wrote to memory of 4300 532 57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe 81 PID 4300 wrote to memory of 1432 4300 BG3ry23 82 PID 4300 wrote to memory of 1432 4300 BG3ry23 82 PID 4300 wrote to memory of 1432 4300 BG3ry23 82 PID 4300 wrote to memory of 1432 4300 BG3ry23 82 PID 4300 wrote to memory of 1432 4300 BG3ry23 82 PID 4300 wrote to memory of 1432 4300 BG3ry23 82 PID 4300 wrote to memory of 1432 4300 BG3ry23 82 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 4720 1432 BG3ry23 85 PID 1432 wrote to memory of 2336 1432 BG3ry23 89 PID 1432 wrote to memory of 2336 1432 BG3ry23 89 PID 1432 wrote to memory of 2336 1432 BG3ry23 89 PID 2336 wrote to memory of 1508 2336 iexplore.exe 90 PID 2336 wrote to memory of 1508 2336 iexplore.exe 90 PID 1508 wrote to memory of 4364 1508 IEXPLORE.EXE 91 PID 1508 wrote to memory of 4364 1508 IEXPLORE.EXE 91 PID 1508 wrote to memory of 4364 1508 IEXPLORE.EXE 91 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 220 1432 BG3ry23 92 PID 1432 wrote to memory of 3488 1432 BG3ry23 95 PID 1432 wrote to memory of 3488 1432 BG3ry23 95 PID 1432 wrote to memory of 3488 1432 BG3ry23 95 PID 3488 wrote to memory of 3928 3488 iexplore.exe 96 PID 3488 wrote to memory of 3928 3488 iexplore.exe 96 PID 1508 wrote to memory of 3612 1508 IEXPLORE.EXE 97 PID 1508 wrote to memory of 3612 1508 IEXPLORE.EXE 97 PID 1508 wrote to memory of 3612 1508 IEXPLORE.EXE 97 PID 1432 wrote to memory of 4976 1432 BG3ry23 98 PID 1432 wrote to memory of 4976 1432 BG3ry23 98 PID 1432 wrote to memory of 4976 1432 BG3ry23 98 PID 4976 wrote to memory of 3044 4976 ynumunxxaxaghuns.exe 99 PID 4976 wrote to memory of 3044 4976 ynumunxxaxaghuns.exe 99 PID 4976 wrote to memory of 3044 4976 ynumunxxaxaghuns.exe 99 PID 4976 wrote to memory of 3044 4976 ynumunxxaxaghuns.exe 99 PID 4976 wrote to memory of 3044 4976 ynumunxxaxaghuns.exe 99 PID 4976 wrote to memory of 3044 4976 ynumunxxaxaghuns.exe 99 PID 4976 wrote to memory of 3044 4976 ynumunxxaxaghuns.exe 99 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 1656 3044 ynumunxxaxaghuns.exe 100 PID 3044 wrote to memory of 2328 3044 ynumunxxaxaghuns.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe"C:\Users\Admin\AppData\Local\Temp\57b5b10ab543276440dbbe91867394f0db0fba810cecb4d99b6e21480ec3fa94.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\BG3ry23"BG3ry23"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\BG3ry23C:\Users\Admin\AppData\Local\Temp\BG3ry233⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:4720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 2045⤵
- Program crash
PID:4232
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4364
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:82950 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3612
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:17418 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:82958 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 2045⤵
- Program crash
PID:3652
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
PID:3928
-
-
-
C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe"C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe" elevate4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exeC:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:1656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 2047⤵
- Program crash
PID:1484
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵PID:2328
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"7⤵
- Modifies Internet Explorer settings
PID:4668
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:3552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2047⤵
- Program crash
PID:3764
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵PID:4712
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"7⤵
- Modifies Internet Explorer settings
PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe"C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe" elevate6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exeC:\Users\Admin\AppData\Local\Temp\ynumunxxaxaghuns.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3160 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe8⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 2049⤵
- Program crash
PID:1004
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"8⤵PID:1860
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"9⤵
- Modifies Internet Explorer settings
PID:3272
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4720 -ip 47201⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 220 -ip 2201⤵PID:2168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1656 -ip 16561⤵PID:2992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3552 -ip 35521⤵PID:1724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4300 -ip 43001⤵PID:4372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf
-
Filesize
169KB
MD58d7fffdc5fa650429e06d7d7f9b9e639
SHA1f072366e3522f1ae05704410af710f95daab57a9
SHA2566f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3
SHA51291c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf