Analysis
-
max time kernel
98s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe
-
Size
60KB
-
MD5
0c4f1b87a1138a8c61f48be7ad0a43f0
-
SHA1
2c4f0df295c2a1792eea52552786946d89c1cd91
-
SHA256
b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef
-
SHA512
4b8d6fc447da06e500d63231a4b31f2481e902398c7e769cb779cf6d577fd3b429d6f5d5d95925ac37597fb70580f532c2ad69a8801e30993c4f69dd87aa888c
-
SSDEEP
1536:1jHFv9FlF9BFfYRKYqgnq/iapRRjiXp20W:1jHL/F9BRqKY5ncioRj2TW
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000098165cf92ca20b157aa7fe992b817784a35c922f109b9a6a9433471f292bc810000000000e8000000002000020000000f3446d7f7e5295d9cc820c8da5175027ed683b131fcb16730fa916957c7dc695900000005ccdce3891256d65f7d3dc4638752568c395e5b27f78b1835c058c62c08d76c13ee8df0e7b08b329dd16d8bcfe7c7865ca0fac39b2da4a412ce5f911e67ad6cbd62d34a8855440e69e77e97cdb5d9624bb6220ff5e0a4d0c586c61ebd1228f3b3d2dc11a06a6ba1fb0d78fcc1f2275da04e7c5fd893a2d9d2ff583876f5ca2205d541a1548668db9d20cad93591bda0e40000000457b68e0568757c300b0b99cd087f99fa699edf9d33b7263fb10677b69626bdb2d6cba47bde9419f0247714d08bb9f71cf942a0b0f6d6c387d698cbd6d17e9c9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{430D0B91-5E26-11ED-BDDC-626677DD231B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000a80e4748e6057a2ce59b0bcfee3539d92d16c418d5d5a88e7644d8bc68baf336000000000e8000000002000020000000df00dd458b2f1c4855b1d076cf64f4d37894b78c2b26ded5321f7fc688c1057920000000df22a7b5739271e8a97db4e8fe813eb51ea7f358b7620e802343d8dbcf91ca3640000000a886bd568aad19911f978f62699dc6537c5dd9b8580174fa44d82cfa437cd0d3c79446775765e55e86dd616edaaf67b6911b476cbf52e2595ffe73b0a9a04951 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 004ab30c33f2d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374540370" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe -
Suspicious behavior: MapViewOfSection 20 IoCs
pid Process 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 632 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 632 iexplore.exe 632 iexplore.exe 992 IEXPLORE.EXE 992 IEXPLORE.EXE 992 IEXPLORE.EXE 992 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 372 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 5 PID 1544 wrote to memory of 372 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 5 PID 1544 wrote to memory of 372 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 5 PID 1544 wrote to memory of 372 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 5 PID 1544 wrote to memory of 372 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 5 PID 1544 wrote to memory of 372 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 5 PID 1544 wrote to memory of 372 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 5 PID 1544 wrote to memory of 380 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 4 PID 1544 wrote to memory of 380 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 4 PID 1544 wrote to memory of 380 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 4 PID 1544 wrote to memory of 380 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 4 PID 1544 wrote to memory of 380 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 4 PID 1544 wrote to memory of 380 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 4 PID 1544 wrote to memory of 380 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 4 PID 1544 wrote to memory of 420 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 3 PID 1544 wrote to memory of 420 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 3 PID 1544 wrote to memory of 420 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 3 PID 1544 wrote to memory of 420 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 3 PID 1544 wrote to memory of 420 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 3 PID 1544 wrote to memory of 420 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 3 PID 1544 wrote to memory of 420 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 3 PID 1544 wrote to memory of 464 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 2 PID 1544 wrote to memory of 464 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 2 PID 1544 wrote to memory of 464 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 2 PID 1544 wrote to memory of 464 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 2 PID 1544 wrote to memory of 464 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 2 PID 1544 wrote to memory of 464 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 2 PID 1544 wrote to memory of 464 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 2 PID 1544 wrote to memory of 480 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1 PID 1544 wrote to memory of 480 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1 PID 1544 wrote to memory of 480 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1 PID 1544 wrote to memory of 480 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1 PID 1544 wrote to memory of 480 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1 PID 1544 wrote to memory of 480 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1 PID 1544 wrote to memory of 480 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 1 PID 1544 wrote to memory of 488 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 8 PID 1544 wrote to memory of 488 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 8 PID 1544 wrote to memory of 488 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 8 PID 1544 wrote to memory of 488 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 8 PID 1544 wrote to memory of 488 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 8 PID 1544 wrote to memory of 488 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 8 PID 1544 wrote to memory of 488 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 8 PID 1544 wrote to memory of 600 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 24 PID 1544 wrote to memory of 600 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 24 PID 1544 wrote to memory of 600 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 24 PID 1544 wrote to memory of 600 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 24 PID 1544 wrote to memory of 600 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 24 PID 1544 wrote to memory of 600 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 24 PID 1544 wrote to memory of 600 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 24 PID 1544 wrote to memory of 680 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 23 PID 1544 wrote to memory of 680 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 23 PID 1544 wrote to memory of 680 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 23 PID 1544 wrote to memory of 680 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 23 PID 1544 wrote to memory of 680 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 23 PID 1544 wrote to memory of 680 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 23 PID 1544 wrote to memory of 680 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 23 PID 1544 wrote to memory of 744 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 22 PID 1544 wrote to memory of 744 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 22 PID 1544 wrote to memory of 744 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 22 PID 1544 wrote to memory of 744 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 22 PID 1544 wrote to memory of 744 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 22 PID 1544 wrote to memory of 744 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 22 PID 1544 wrote to memory of 744 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 22 PID 1544 wrote to memory of 816 1544 b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe 21
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:852
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1032
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1064
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1132
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1096
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:1040
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:876
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:816
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:744
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:680
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:600
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:632 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:275457 /prefetch:24⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:992
-
-
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:380
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe"C:\Users\Admin\AppData\Local\Temp\b9d1363c7907f37f3562174bc5b275db01f638fe0d7b36234f0948451fa631ef.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5084d8f3396b3bdccf42fdf51d1b636bf
SHA1eeef305717d9a2cd9473e7785629ec23d894d6ac
SHA256144ed424b33c8fdf443e519a1290f36f784fd439b7d78b926bb2c3063f89de45
SHA512d74e79ccd65375ae1f5a7b825863f126bbc0706a2af02fa7963113e1db10321ca257905bc1a1ac827799aa3b744f7df6d9ff0156852ae247fd87e67591847fd6
-
Filesize
603B
MD54e3f158a63d707f2ce969ba07a784618
SHA1c7783b041f36ec984d77e90929439f6338b2b152
SHA256677ebf539b47a82fe712d6217dd50edc017ba53567f294df1835e25897fc1e0f
SHA512eb06f016f70235d7e8976cc478a5ba483aafb76b81fa2a2f83f94d9f8b32321f4cf2f41d251fc4bf32c6910c734605531f879eb5de48f5b0c12d48d5e82fabe5