fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f

Analysis

max time kernel
88s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 21:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
Size

58KB
MD5

6c3f92d287aeb9601c9c8a97951d5180
SHA1

f0ce65a8b95d4efa24465f66572a7d841090d619
SHA256

fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f
SHA512

723f324f1a263f36e72b0be33cf3f0b1579f6195001f9e91a0ff29a0cf064c1461de05734fdacbceee8a9d959ab5f1f56fb489827c7482035bc1477c6a64b129
SSDEEP

1536:SB9jHFv9FlF9BFfYRKYqgnqBQOQDMe644NFL:SB9jHL/F9BRqKY5neDe6

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372336053"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDFCE0A1-4A19-11ED-93F0-EAF6071D98F9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d09ec626ded801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000b0c9718f452a1e2caa98171aca9046cabd32c61674d94438ea7b1fe47bb4e5ee000000000e8000000002000020000000bd5309e56f89b478504bc1f60e4135073879f7e4e2e37bc818852a37dfe5754d20000000ade4b5d23c901b67d6a46c63384b89e8133ea55bce5259eb2583f8b8b2d22073400000001f3280975cd98fcbfcede8d8d9cc1385a2f409dc16affa22590629f93460b01f9ed87e0402138974e294e84a3336f8fe786babdb4cd59503e1b15288bea812ea	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000062735b509909e7f47f539d42face9e007c1209269aea62e901f3128228f20087000000000e80000000020000200000004b7894c31888f463d69b31fb98dddd863db2bcec10236a56fc5d90941548741990000000941b4e9f99bb8a037a4abdd434b53608600036b7241e52b8fc39ae4a0929b162703bdf4a275b51e2f7cc1272daeb69cc107b95bef03bc1eaecae7cf9e319677a268469c2e020157013bbcde40f6c7753f2b5dc60e4414bd847d24b91ae24a2a3a262ade7810f68b68b97220949b95ce7e1cd50c81b2d2318ebd3a3aaec53722f82b9c43e4f80671a9728d7dba29794af40000000bead23d7dda3189f0b5c02c80866144baee94de7d6e871bf019e4c8580cf339c46204266cec69b3bbd43479264d7dd6e90cd9e08cfabd10b4334a5d592890895	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1884	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1884	iexplore.exe
1884	iexplore.exe
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 368	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	25
PID 1280 wrote to memory of 368	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	25
PID 1280 wrote to memory of 368	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	25
PID 1280 wrote to memory of 368	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	25
PID 1280 wrote to memory of 368	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	25
PID 1280 wrote to memory of 368	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	25
PID 1280 wrote to memory of 368	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	25
PID 1280 wrote to memory of 384	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	24
PID 1280 wrote to memory of 384	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	24
PID 1280 wrote to memory of 384	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	24
PID 1280 wrote to memory of 384	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	24
PID 1280 wrote to memory of 384	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	24
PID 1280 wrote to memory of 384	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	24
PID 1280 wrote to memory of 384	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	24
PID 1280 wrote to memory of 420	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	23
PID 1280 wrote to memory of 420	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	23
PID 1280 wrote to memory of 420	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	23
PID 1280 wrote to memory of 420	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	23
PID 1280 wrote to memory of 420	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	23
PID 1280 wrote to memory of 420	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	23
PID 1280 wrote to memory of 420	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	23
PID 1280 wrote to memory of 464	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	22
PID 1280 wrote to memory of 464	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	22
PID 1280 wrote to memory of 464	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	22
PID 1280 wrote to memory of 464	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	22
PID 1280 wrote to memory of 464	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	22
PID 1280 wrote to memory of 464	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	22
PID 1280 wrote to memory of 464	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	22
PID 1280 wrote to memory of 480	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	1
PID 1280 wrote to memory of 480	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	1
PID 1280 wrote to memory of 480	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	1
PID 1280 wrote to memory of 480	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	1
PID 1280 wrote to memory of 480	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	1
PID 1280 wrote to memory of 480	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	1
PID 1280 wrote to memory of 480	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	1
PID 1280 wrote to memory of 488	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	21
PID 1280 wrote to memory of 488	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	21
PID 1280 wrote to memory of 488	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	21
PID 1280 wrote to memory of 488	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	21
PID 1280 wrote to memory of 488	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	21
PID 1280 wrote to memory of 488	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	21
PID 1280 wrote to memory of 488	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	21
PID 1280 wrote to memory of 596	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	20
PID 1280 wrote to memory of 596	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	20
PID 1280 wrote to memory of 596	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	20
PID 1280 wrote to memory of 596	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	20
PID 1280 wrote to memory of 596	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	20
PID 1280 wrote to memory of 596	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	20
PID 1280 wrote to memory of 596	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	20
PID 1280 wrote to memory of 672	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	19
PID 1280 wrote to memory of 672	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	19
PID 1280 wrote to memory of 672	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	19
PID 1280 wrote to memory of 672	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	19
PID 1280 wrote to memory of 672	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	19
PID 1280 wrote to memory of 672	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	19
PID 1280 wrote to memory of 672	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	19
PID 1280 wrote to memory of 756	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	18
PID 1280 wrote to memory of 756	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	18
PID 1280 wrote to memory of 756	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	18
PID 1280 wrote to memory of 756	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	18
PID 1280 wrote to memory of 756	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	18
PID 1280 wrote to memory of 756	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	18
PID 1280 wrote to memory of 756	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	18
PID 1280 wrote to memory of 820	1280	fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe	17

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1172

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2036

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe
  "C:\Users\Admin\AppData\Local\Temp\fc9ebe241b79e40b42717b8e7d94604e7696b5d71c225d73221f213d2e2c667f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1280

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1884
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1884 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1000

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
19KB

MD5
91cc4c9c3c515619eb3e84d38fe3fc4a

SHA1
39a291f0fc7e3beff990fc93bf3996797386eae4

SHA256
ac6102b46aba341e2e11fbaa960622af76552806103a646688a696ad8f5e8876

SHA512
84e02a829b5f5f522b578bf2a6ebc092a1df7c60d21ffb9c7de9ea36753cab5e1fd24e2d00b50427c391ba34459cfe141f53abd777e0964b8f74a260d7406f1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SZQMGHN1.txt

Filesize
608B

MD5
8bcaea8bfa30995f5b84a5f5d8ca565e

SHA1
3b45e7dc598a6c464400ca472ea03538dc1efe8f

SHA256
175d2cfaf3744db297be99068831e538f27051d29af39dfd48ce064d12700a04

SHA512
c03eab54b45a739a9fd02a9b5fe9fe597bd02b052554873b92995a35a8b3349abb20b742a0f6ba566b4f3fcaccdaeb6b11e10dc08ba66168301896736595eda3

Download Submit
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-57-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/1280-56-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/1280-55-0x0000000001000000-0x0000000001011000-memory.dmp

Filesize
68KB

Download