e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c

Analysis

max time kernel
84s
max time network
179s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
Size

75KB
MD5

1c012797f82b5c4befdf2611c5175661
SHA1

22740ffefb6bec9c8ad8505e960d5d5aa2deace3
SHA256

e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c
SHA512

484f218670d2f11e6f7e9af5d978b12128c18903c7c562fa9fcf4a401ae834b45bf088128b40f4840d174c2590b27662cd1f5f6f660a6370e64093d77cf18899
SSDEEP

1536:Ak9jHFv9FlF9BFfYRKYqgnqUO1kljQQPhuveY:Ak9jHL/F9BRqKY5nIk5N

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0a7092cea08d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377037962"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006d95f400512abd4eb83fa4a458cc4b6500000000020000000000106600000001000020000000337ef58e368662e8119669b078b023b49458b08498cdeec6cdf17dbb23483e66000000000e800000000200002000000026a5e4d8a3c4d388179c0da91709abff0c7f6941f06616a677a84a5e4078ad959000000058b6d52236c939f6c5bc4a68c46d912e34645c39fce286b7efd854b65681356a40fe3bfad4547b38131fb3a980cb4c00f44100c3329c12c738c65f3f7faaa8e73340e0253d9380bbb10ada73f8c309b78e61beeae8c14cf4f713fa1b5f9591f3b1efa00b284c2d0a3171cac1df635cd683e1c7ae4c707cebf573e76a762ae37d278c87aa427ec3e78066bc89998a0c52400000000d4738868f0d64916d8495dfb18087538ca3f81810ec43c82282e4f2bf1d2f94ed3276e874f13040eb382c9c352a1f2d9ed765f7ab01b4d09af4c2974b6d5454	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61FDC991-74DD-11ED-BD84-7E4CDA66D2DC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006d95f400512abd4eb83fa4a458cc4b65000000000200000000001066000000010000200000000a62b5932b74a5bf083c5134e856a2a952accd314200e455e15bae57920bd3eb000000000e80000000020000200000001cba59e8ee1abc9a36b265fa6a30c9575784099e46acad2a34471b5851efc2a320000000c94706798eeef9c20b35576dc159d187cd88e734070b4846b660a672a1416c61400000004ddec5f5e794b2c78ee8d7e336ac3b601df0e84d8b294ebd14308ef5ed366abc4255b8b80264c21c43377b13e43a88172ffc608d8cdd187925dbb8ebdf719987	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1916	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1916	iexplore.exe
1916	iexplore.exe
548	IEXPLORE.EXE
548	IEXPLORE.EXE
548	IEXPLORE.EXE
548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 368	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	5
PID 940 wrote to memory of 368	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	5
PID 940 wrote to memory of 368	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	5
PID 940 wrote to memory of 368	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	5
PID 940 wrote to memory of 368	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	5
PID 940 wrote to memory of 376	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	4
PID 940 wrote to memory of 376	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	4
PID 940 wrote to memory of 376	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	4
PID 940 wrote to memory of 376	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	4
PID 940 wrote to memory of 376	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	4
PID 940 wrote to memory of 416	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	3
PID 940 wrote to memory of 416	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	3
PID 940 wrote to memory of 416	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	3
PID 940 wrote to memory of 416	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	3
PID 940 wrote to memory of 416	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	3
PID 940 wrote to memory of 460	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	2
PID 940 wrote to memory of 460	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	2
PID 940 wrote to memory of 460	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	2
PID 940 wrote to memory of 460	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	2
PID 940 wrote to memory of 460	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	2
PID 940 wrote to memory of 476	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	1
PID 940 wrote to memory of 476	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	1
PID 940 wrote to memory of 476	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	1
PID 940 wrote to memory of 476	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	1
PID 940 wrote to memory of 476	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	1
PID 940 wrote to memory of 484	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	25
PID 940 wrote to memory of 484	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	25
PID 940 wrote to memory of 484	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	25
PID 940 wrote to memory of 484	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	25
PID 940 wrote to memory of 484	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	25
PID 940 wrote to memory of 584	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	24
PID 940 wrote to memory of 584	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	24
PID 940 wrote to memory of 584	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	24
PID 940 wrote to memory of 584	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	24
PID 940 wrote to memory of 584	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	24
PID 940 wrote to memory of 664	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	6
PID 940 wrote to memory of 664	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	6
PID 940 wrote to memory of 664	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	6
PID 940 wrote to memory of 664	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	6
PID 940 wrote to memory of 664	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	6
PID 940 wrote to memory of 748	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	23
PID 940 wrote to memory of 748	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	23
PID 940 wrote to memory of 748	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	23
PID 940 wrote to memory of 748	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	23
PID 940 wrote to memory of 748	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	23
PID 940 wrote to memory of 796	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	22
PID 940 wrote to memory of 796	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	22
PID 940 wrote to memory of 796	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	22
PID 940 wrote to memory of 796	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	22
PID 940 wrote to memory of 796	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	22
PID 940 wrote to memory of 824	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	21
PID 940 wrote to memory of 824	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	21
PID 940 wrote to memory of 824	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	21
PID 940 wrote to memory of 824	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	21
PID 940 wrote to memory of 824	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	21
PID 940 wrote to memory of 872	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	20
PID 940 wrote to memory of 872	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	20
PID 940 wrote to memory of 872	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	20
PID 940 wrote to memory of 872	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	20
PID 940 wrote to memory of 872	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	20
PID 940 wrote to memory of 284	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	19
PID 940 wrote to memory of 284	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	19
PID 940 wrote to memory of 284	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	19
PID 940 wrote to memory of 284	940	e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe	19

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1276
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1180
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:528
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:600
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:824
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:584
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1916
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:548

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:376
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:368

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1976

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1940

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1404
- C:\Users\Admin\AppData\Local\Temp\e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe
  "C:\Users\Admin\AppData\Local\Temp\e2dfd11114689aa5d622a8a83840b2cea3ef5dc0de2b6af908e991038032ed3c.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:940

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
19KB

MD5
5da5316ca1f2b01944aa028da171e329

SHA1
6698dc9002c7a6e593d3ec271e2b5b5c196e5b2f

SHA256
ab01b8bb9dc97885daf697deb0930a2e7b913a357448bb3a83f1b90a7ab326cf

SHA512
2a38286798edd584bde717d3850cc741e225f7ddfb561abf90338e431a393b6116971b21a2153b7a1a624e2200300ffb3b64f52f46c5044054b6e2fc78fc579c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U6IE1UOB.txt

Filesize
608B

MD5
830160b549c061a9da6bdf3c877d03cd

SHA1
c73c1a08c641f9b303ad6fbe4bd51badad229ba1

SHA256
4a94063a2d76c9c92f786f1f535f49c17e6ea9c7160fd467b502b6a89fa83102

SHA512
825ea8c0511cc5a97b731fcfb33589610acdeebec8263b29970a5dae5b19364f6e32364d41f46675ec9df7dceb41cc796c68afa9c6392e48da504e8d4aca7a85

Download Submit
memory/940-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/940-56-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/940-57-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/940-55-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download