Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 09:22
Static task
static1
Behavioral task
behavioral1
Sample
878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
Resource
win7-20220812-en
General
-
Target
878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
-
Size
52KB
-
MD5
207fdcecc4c844004d064f7f7d25fb0f
-
SHA1
4a1b05f7cd8b3ba7c82f48ca8aeb10b264369c4c
-
SHA256
878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9
-
SHA512
739ce29e9cf6d5cb25e22841bb28d0e0d825c452df49f3b15e9a0b2d275150f88da198566b540fc3d40c089cbd0dcd077f79620e4a2c2d1f7d9e13a5cb46499d
-
SSDEEP
768:EyH64NqpyLvO3klekO2Pco2YQ78QTEB6SrZdP545gkRUnqkAmZbI:w5pyLvLy2awvsSVBqukeqxEI
Malware Config
Extracted
formbook
scse
SKpYFyVNT2zunKf0uuM=
FlEHUseI7I5XbrO8fR/XBcS9ZA==
FPuxoUOxkLiATugw
VKdxsDSk0jdT5Kw=
FpqHf9iI/1tl97E=
YGI6sIl3UIxfZvlD+JiUuuLR
oBAEO0suBEAD5aK00A==
RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==
VFg9s3W0/Ype8A3cZb+D7g==
hwD+VNd6014nrsaTWm4FBcS9ZA==
zkAdUq1soKYUfZaTqLmL
XVQ9WbRivUIQ477a/hKv+g==
QireF2geizAwmp674AGc5g==
PSTUQxs6j8OATugw
LHJhyy2VbX8NEqf0uuM=
MiY1vg6T3HqATugw
wqkUjaVXnGgBqA==
jUr/eUtSIT01Wegt
PjQidcqKzAbSZICUZb+D7g==
OkAmcv12sUEAIHwFHakzdIo2FPHw
zyDLsw+3I3H6gnaGZb+D7g==
ll0HRs5IJGxCZMJPahHgOt2RqjU=
YqaIEokHuw6V
jGJG11YCObJ+IQIXCW8KU+ZcbA==
jv4ITr8zITdT5Kw=
nXYro3yHe5YV5aK00A==
rJt1IPkxeQDUayhVCJyUuuLR
oFwz1DUU/RdD5aK00A==
FHlVTKEVIRFE5aK00A==
8GhjL2lJOWD+5aK00A==
k3BLouunGsagwhAi6oeUuuLR
p45GiQN5bZMjR9karDwDa442FPHw
Zdd7rVCKu/b3TIVU6t/lP92RqjU=
wyjxGjYHuw6V
nW5RrwV6yTdT5Kw=
itzGDGclWW4SqnLBSWH5Pt2RqjU=
8zwgceJYRWn+DKf0uuM=
EmojFmj027tsHrs=
ExQEPY5UyyS00HPvNNCH8w==
laiGCZRTkbg/XAl/Zb+D7g==
wYQysWBl+DdT5Kw=
MWo3rYV3XoAJ5aK00A==
hnht0SrcDR+XpjV6H6WUuuLR
rxqw6S7qG8A=
aEcfph/RAUAcfZYnXOw=
EXdVkuuzJ8eEjkTROs2D
MDYsc8l6w0wM7ZOiyQ==
Rw3XPwT+8UID5aK00A==
zDPp+Pskft/5iqS+0Q==
Z8h8hYCm/ULHXQ+YY2kJBcS9ZA==
vTDkm31vabx5EfoFMjLsVpBlz+fQfg==
+EcrRpZyp7tFba65dhvXBcS9ZA==
rHVJpwl6dLSATugw
gUoTghFSoTMpiXyQe9N3uOjQ
47Zwn/CkFQCty07ROs2D
NYkP+jcHuw6V
nfvdFnkHuw6V
L4piRRhAmfwGKITjemhRkmQ=
s6Jdx36Q+t5U7LE=
58iYH6dVmzYCnHZ/Zb+D7g==
IQ/WHZJWuVUD5aK00A==
Cf6t72PUxhnicjvBiFxqP0o2FPHw
DQr7l4R4rlEJ5aK00A==
62gezKeQv8mIIBbcZb+D7g==
kmuregister.com
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeAddInProcess32.execmd.exedescription pid process target process PID 1328 set thread context of 1920 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess32.exe PID 1920 set thread context of 772 1920 AddInProcess32.exe Explorer.EXE PID 3780 set thread context of 772 3780 cmd.exe Explorer.EXE -
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeAddInProcess32.execmd.exepid process 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe 3780 cmd.exe 3780 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 772 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
AddInProcess32.execmd.exepid process 1920 AddInProcess32.exe 1920 AddInProcess32.exe 1920 AddInProcess32.exe 3780 cmd.exe 3780 cmd.exe 3780 cmd.exe 3780 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeAddInProcess32.execmd.exedescription pid process Token: SeDebugPrivilege 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe Token: SeDebugPrivilege 1920 AddInProcess32.exe Token: SeDebugPrivilege 3780 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeExplorer.EXEcmd.exedescription pid process target process PID 1328 wrote to memory of 4936 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_compiler.exe PID 1328 wrote to memory of 4936 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_compiler.exe PID 1328 wrote to memory of 4944 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe Microsoft.Workflow.Compiler.exe PID 1328 wrote to memory of 4944 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe Microsoft.Workflow.Compiler.exe PID 1328 wrote to memory of 1656 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AppLaunch.exe PID 1328 wrote to memory of 1656 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AppLaunch.exe PID 1328 wrote to memory of 1644 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe cvtres.exe PID 1328 wrote to memory of 1644 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe cvtres.exe PID 1328 wrote to memory of 684 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe DataSvcUtil.exe PID 1328 wrote to memory of 684 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe DataSvcUtil.exe PID 1328 wrote to memory of 564 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ServiceModelReg.exe PID 1328 wrote to memory of 564 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ServiceModelReg.exe PID 1328 wrote to memory of 4536 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_regbrowsers.exe PID 1328 wrote to memory of 4536 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_regbrowsers.exe PID 1328 wrote to memory of 60 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe dfsvc.exe PID 1328 wrote to memory of 60 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe dfsvc.exe PID 1328 wrote to memory of 4808 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInUtil.exe PID 1328 wrote to memory of 4808 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInUtil.exe PID 1328 wrote to memory of 2884 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_regsql.exe PID 1328 wrote to memory of 2884 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_regsql.exe PID 1328 wrote to memory of 2696 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe MSBuild.exe PID 1328 wrote to memory of 2696 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe MSBuild.exe PID 1328 wrote to memory of 2780 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe csc.exe PID 1328 wrote to memory of 2780 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe csc.exe PID 1328 wrote to memory of 4856 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess.exe PID 1328 wrote to memory of 4856 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess.exe PID 1328 wrote to memory of 2900 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_state.exe PID 1328 wrote to memory of 2900 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_state.exe PID 1328 wrote to memory of 1480 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe RegAsm.exe PID 1328 wrote to memory of 1480 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe RegAsm.exe PID 1328 wrote to memory of 4276 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe EdmGen.exe PID 1328 wrote to memory of 4276 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe EdmGen.exe PID 1328 wrote to memory of 1872 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe CasPol.exe PID 1328 wrote to memory of 1872 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe CasPol.exe PID 1328 wrote to memory of 3576 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe InstallUtil.exe PID 1328 wrote to memory of 3576 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe InstallUtil.exe PID 1328 wrote to memory of 4424 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe WsatConfig.exe PID 1328 wrote to memory of 4424 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe WsatConfig.exe PID 1328 wrote to memory of 368 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_wp.exe PID 1328 wrote to memory of 368 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_wp.exe PID 1328 wrote to memory of 260 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_regiis.exe PID 1328 wrote to memory of 260 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe aspnet_regiis.exe PID 1328 wrote to memory of 204 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ngentask.exe PID 1328 wrote to memory of 204 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ngentask.exe PID 1328 wrote to memory of 208 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ComSvcConfig.exe PID 1328 wrote to memory of 208 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ComSvcConfig.exe PID 1328 wrote to memory of 4552 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ilasm.exe PID 1328 wrote to memory of 4552 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ilasm.exe PID 1328 wrote to memory of 4884 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe RegSvcs.exe PID 1328 wrote to memory of 4884 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe RegSvcs.exe PID 1328 wrote to memory of 912 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe vbc.exe PID 1328 wrote to memory of 912 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe vbc.exe PID 1328 wrote to memory of 1736 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ngen.exe PID 1328 wrote to memory of 1736 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe ngen.exe PID 1328 wrote to memory of 1920 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess32.exe PID 1328 wrote to memory of 1920 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess32.exe PID 1328 wrote to memory of 1920 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess32.exe PID 1328 wrote to memory of 1920 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess32.exe PID 1328 wrote to memory of 1920 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess32.exe PID 1328 wrote to memory of 1920 1328 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe AddInProcess32.exe PID 772 wrote to memory of 3780 772 Explorer.EXE cmd.exe PID 772 wrote to memory of 3780 772 Explorer.EXE cmd.exe PID 772 wrote to memory of 3780 772 Explorer.EXE cmd.exe PID 3780 wrote to memory of 4512 3780 cmd.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe"C:\Users\Admin\AppData\Local\Temp\878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/772-143-0x0000000008250000-0x0000000008396000-memory.dmpFilesize
1.3MB
-
memory/772-153-0x0000000008F40000-0x00000000090BE000-memory.dmpFilesize
1.5MB
-
memory/772-151-0x0000000008F40000-0x00000000090BE000-memory.dmpFilesize
1.5MB
-
memory/1328-133-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmpFilesize
10.8MB
-
memory/1328-137-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmpFilesize
10.8MB
-
memory/1328-132-0x000002C3196C0000-0x000002C3196D2000-memory.dmpFilesize
72KB
-
memory/1920-138-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1920-146-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/1920-141-0x0000000001180000-0x0000000001190000-memory.dmpFilesize
64KB
-
memory/1920-142-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/1920-139-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/1920-134-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1920-145-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1920-140-0x0000000001750000-0x0000000001A9A000-memory.dmpFilesize
3.3MB
-
memory/1920-135-0x00000000004012B0-mapping.dmp
-
memory/3780-149-0x0000000001690000-0x00000000019DA000-memory.dmpFilesize
3.3MB
-
memory/3780-147-0x00000000004E0000-0x000000000053A000-memory.dmpFilesize
360KB
-
memory/3780-148-0x00000000009D0000-0x00000000009FD000-memory.dmpFilesize
180KB
-
memory/3780-150-0x0000000001430000-0x00000000014BF000-memory.dmpFilesize
572KB
-
memory/3780-152-0x00000000009D0000-0x00000000009FD000-memory.dmpFilesize
180KB
-
memory/3780-144-0x0000000000000000-mapping.dmp