34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe
Size

95KB
MD5

0b84527ed1f757fef90372dfb2126eb1
SHA1

a5cb7a767c23262ebbe13c9a5258ee37d537d817
SHA256

34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd
SHA512

d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d
SSDEEP

1536:kjdUy9hWM4A+mR5qy7OYvXIxBnA+LbOxTZ0U5CGbOKMdfqj6t83ErF:eH+mRLdvXIxBntLbOxKBGbOKM383Ep

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1188	00F15.exe
292	00F15.exe
1352	8D713.exe

Loads dropped DLL 8 IoCs

pid	Process
620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe
620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe
292	00F15.exe
292	00F15.exe
1352	8D713.exe
1352	8D713.exe
1352	8D713.exe
1352	8D713.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\BVKAHQ3P.txt	8D713.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YOTPQXM9.txt	8D713.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YSJ8XR3B.htm	8D713.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0Q3VCABD.txt	8D713.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0Q3VCABD.txt	8D713.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\BVKAHQ3P.txt	8D713.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\FOCMRLDV.txt	8D713.exe
File opened for modification	C:\Windows\SysWOW64\00F15.exe	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	00F15.exe
File opened for modification	C:\Windows\SysWOW64\8D713.exe	00F15.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	8D713.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\FOCMRLDV.txt	8D713.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YOTPQXM9.txt	8D713.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	8D713.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	8D713.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	8D713.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8D713.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	8D713.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F62EE11-7320-4D6A-9678-A8BDAEB4E85C}\WpadDecision = "0"	8D713.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-13-c5-d2-84-f1\WpadDecision = "0"	8D713.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F62EE11-7320-4D6A-9678-A8BDAEB4E85C}	8D713.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F62EE11-7320-4D6A-9678-A8BDAEB4E85C}\WpadDecisionReason = "1"	8D713.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F62EE11-7320-4D6A-9678-A8BDAEB4E85C}\WpadDecisionTime = f0f9729939ebd801	8D713.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8D713.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	8D713.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	8D713.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	8D713.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	8D713.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F62EE11-7320-4D6A-9678-A8BDAEB4E85C}\WpadNetworkName = "Network 2"	8D713.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-13-c5-d2-84-f1	8D713.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F62EE11-7320-4D6A-9678-A8BDAEB4E85C}\c6-13-c5-d2-84-f1	8D713.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-13-c5-d2-84-f1\WpadDecisionTime = f0f9729939ebd801	8D713.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	8D713.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	8D713.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	8D713.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8D713.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-13-c5-d2-84-f1\WpadDecisionReason = "1"	8D713.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8D713.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	8D713.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	8D713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	8D713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	8D713.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe
1188	00F15.exe
292	00F15.exe
1352	8D713.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1188	620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe	27
PID 620 wrote to memory of 1188	620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe	27
PID 620 wrote to memory of 1188	620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe	27
PID 620 wrote to memory of 1188	620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe	27
PID 1188 wrote to memory of 320	1188	00F15.exe	28
PID 1188 wrote to memory of 320	1188	00F15.exe	28
PID 1188 wrote to memory of 320	1188	00F15.exe	28
PID 1188 wrote to memory of 320	1188	00F15.exe	28
PID 620 wrote to memory of 660	620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe	30
PID 620 wrote to memory of 660	620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe	30
PID 620 wrote to memory of 660	620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe	30
PID 620 wrote to memory of 660	620	34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe	30
PID 320 wrote to memory of 368	320	cmd.exe	32
PID 320 wrote to memory of 368	320	cmd.exe	32
PID 320 wrote to memory of 368	320	cmd.exe	32
PID 320 wrote to memory of 368	320	cmd.exe	32
PID 660 wrote to memory of 1072	660	cmd.exe	33
PID 660 wrote to memory of 1072	660	cmd.exe	33
PID 660 wrote to memory of 1072	660	cmd.exe	33
PID 660 wrote to memory of 1072	660	cmd.exe	33
PID 368 wrote to memory of 1816	368	net.exe	34
PID 368 wrote to memory of 1816	368	net.exe	34
PID 368 wrote to memory of 1816	368	net.exe	34
PID 368 wrote to memory of 1816	368	net.exe	34
PID 1072 wrote to memory of 956	1072	net.exe	35
PID 1072 wrote to memory of 956	1072	net.exe	35
PID 1072 wrote to memory of 956	1072	net.exe	35
PID 1072 wrote to memory of 956	1072	net.exe	35
PID 292 wrote to memory of 2040	292	00F15.exe	37
PID 292 wrote to memory of 2040	292	00F15.exe	37
PID 292 wrote to memory of 2040	292	00F15.exe	37
PID 292 wrote to memory of 2040	292	00F15.exe	37
PID 2040 wrote to memory of 664	2040	cmd.exe	39
PID 2040 wrote to memory of 664	2040	cmd.exe	39
PID 2040 wrote to memory of 664	2040	cmd.exe	39
PID 2040 wrote to memory of 664	2040	cmd.exe	39
PID 664 wrote to memory of 1032	664	net.exe	40
PID 664 wrote to memory of 1032	664	net.exe	40
PID 664 wrote to memory of 1032	664	net.exe	40
PID 664 wrote to memory of 1032	664	net.exe	40
PID 292 wrote to memory of 1352	292	00F15.exe	41
PID 292 wrote to memory of 1352	292	00F15.exe	41
PID 292 wrote to memory of 1352	292	00F15.exe	41
PID 292 wrote to memory of 1352	292	00F15.exe	41

C:\Users\Admin\AppData\Local\Temp\34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe
"C:\Users\Admin\AppData\Local\Temp\34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\00F15.exe
  C:\Windows\system32\00F15.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "net start 00F15"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\net.exe
      net start 00F15
      4⤵
      Suspicious use of WriteProcessMemory
      PID:368
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start 00F15
        5⤵
        
        PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 00F15"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\net.exe
    net start 00F15
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start 00F15
      4⤵
      PID:956

C:\Windows\SysWOW64\00F15.exe
C:\Windows\SysWOW64\00F15.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 00F15"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\net.exe
    net start 00F15
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start 00F15
      4⤵
      PID:1032
- C:\Windows\SysWOW64\8D713.exe
  C:\Windows\system32\8D713.exe eee
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\00F15.exe

Filesize
95KB

MD5
0b84527ed1f757fef90372dfb2126eb1

SHA1
a5cb7a767c23262ebbe13c9a5258ee37d537d817

SHA256
34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

SHA512
d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d

Download Submit
C:\Windows\SysWOW64\00F15.exe

Filesize
95KB

MD5
0b84527ed1f757fef90372dfb2126eb1

SHA1
a5cb7a767c23262ebbe13c9a5258ee37d537d817

SHA256
34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

SHA512
d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d

Download Submit
C:\Windows\SysWOW64\8D713.exe

Filesize
104KB

MD5
2b1b7cf833726f0380ec1a33222c5c1f

SHA1
4fd1e1241181e1c273435af2f51f2764ced2de3e

SHA256
e7b8b4f8157c2842ff11295f057bf37179be342ef24f036750f7e0e44a4dc82c

SHA512
28478d1141f9408dba2ef8116b0c63b8cd423f1eb53d91a29fffe7e6d2f3c49e74eab45f6b059eeef38794c748b2d8ad550234ff5fbaabc226cad6db6ad2ba8b

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\00F15.exe

Filesize
95KB

MD5
0b84527ed1f757fef90372dfb2126eb1

SHA1
a5cb7a767c23262ebbe13c9a5258ee37d537d817

SHA256
34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

SHA512
d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d

Download Submit
\Windows\SysWOW64\00F15.exe

Filesize
95KB

MD5
0b84527ed1f757fef90372dfb2126eb1

SHA1
a5cb7a767c23262ebbe13c9a5258ee37d537d817

SHA256
34b6e285db1e369b7f098c2fd7db85d3e1766bb9c5d10d58bb2f9948e19e0cfd

SHA512
d0d9b36dcb3226ae61e494304bd549f3057546e506d04ee6cd90657dcd182a7179d7e06458d898f9729b8c1e43f862148396c80bc02699f71cc8c355175acb0d

Download Submit
\Windows\SysWOW64\8D713.exe

Filesize
104KB

MD5
2b1b7cf833726f0380ec1a33222c5c1f

SHA1
4fd1e1241181e1c273435af2f51f2764ced2de3e

SHA256
e7b8b4f8157c2842ff11295f057bf37179be342ef24f036750f7e0e44a4dc82c

SHA512
28478d1141f9408dba2ef8116b0c63b8cd423f1eb53d91a29fffe7e6d2f3c49e74eab45f6b059eeef38794c748b2d8ad550234ff5fbaabc226cad6db6ad2ba8b

Download Submit
\Windows\SysWOW64\8D713.exe

Filesize
104KB

MD5
2b1b7cf833726f0380ec1a33222c5c1f

SHA1
4fd1e1241181e1c273435af2f51f2764ced2de3e

SHA256
e7b8b4f8157c2842ff11295f057bf37179be342ef24f036750f7e0e44a4dc82c

SHA512
28478d1141f9408dba2ef8116b0c63b8cd423f1eb53d91a29fffe7e6d2f3c49e74eab45f6b059eeef38794c748b2d8ad550234ff5fbaabc226cad6db6ad2ba8b

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/292-76-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/292-89-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/620-66-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1188-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1352-88-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download