62f624a2ac863cf0fd91916b4536c44446954e29f2232629f3e4cb02a4ec1dc5

Analysis

max time kernel
338s
max time network
341s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RMHOOK.exe
Size

13.6MB
MD5

b1434b82c5a9f1dae4d3844d49e71d2b
SHA1

358a68782de28330f3bd330e481faa30a8ad322a
SHA256

62f624a2ac863cf0fd91916b4536c44446954e29f2232629f3e4cb02a4ec1dc5
SHA512

2e669a708cae00dc6cbf8905626373bcfc10d30922228cc6715f80e897a49d3fd1a50eeea49d4b9e1acd589d3c0f07ca38b0721fdc82654a840a7c1676139fd4
SSDEEP

196608:4urGVwgaunHfoOEs7ayo5xxa107oC/+EGxFDon9XoUJoyVytZkp8mjMMfyaBS:7KVwgt/zviFhoCY7El5FYtZkp8mF/

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_766C81A2282241A7936EAC1B424CC035.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_766C81A2282241A7936EAC1B424CC035.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	Narrator.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	Narrator.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\ = "Speakers (High Definition Audio Device)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\HighContrast\Pre-High Contrast Scheme = "C:\\Windows\\resources\\themes\\Aero\\Aero.msstyles"	sethc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowHeight = "227"	osk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\HighContrast	sethc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll,-1033 = "Microsoft Anna - English (United States)"	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Narrator\CurrentVolume = "9"	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\ScanKey = "32"	osk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\ShowNumPad = "0"	osk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "0"	sethc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "100"	osk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\Attributes	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\HighContrast\Pre-High Contrast Size = "NormalSize"	sethc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Narrator\AnnounceScrollNotifications = "0"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\ = "Speakers (High Definition Audio Device)"	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Narrator\BackgroundMessageTimeout = "30000"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	sethc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\DeviceId = "{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	osk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	sethc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon"	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Narrator	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ScreenMagnifier\MagnifierUIWindowMinimized = "0"	Magnify.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"	Narrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\DeviceName = "Speakers (High Definition Audio Device)"	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	sethc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	sethc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Osk	osk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ScreenMagnifier\RunBefore = "1"	Magnify.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Narrator\CurrentSpeed = "5"	Narrator.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\Attributes\Technology = "MMSys"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\HoverPeriod = "1000"	osk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\Attributes\Vendor = "Microsoft"	Narrator.exe
Key created	\REGISTRY\USER\.DEFAULT\System	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{c2271431-10f4-4859-90b1-79b4a5fadcba}\DeviceName = "Speakers (High Definition Audio Device)"	utilman.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1056	RMHOOK.exe
1056	RMHOOK.exe
1476	utilman.exe
1476	utilman.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe
752	Narrator.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: SeShutdownPrivilege	1572	LogonUI.exe
Token: SeShutdownPrivilege	1572	LogonUI.exe
Token: SeDebugPrivilege	752	Narrator.exe
Token: SeShutdownPrivilege	1572	LogonUI.exe
Token: SeShutdownPrivilege	1520	winlogon.exe
Token: SeShutdownPrivilege	1520	winlogon.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1792	Magnify.exe
1792	Magnify.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1792	Magnify.exe
752	Narrator.exe
1628	osk.exe
1628	osk.exe
1628	osk.exe
1628	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1520 wrote to memory of 1572	1520	winlogon.exe	36
PID 1520 wrote to memory of 1572	1520	winlogon.exe	36
PID 1520 wrote to memory of 1572	1520	winlogon.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1572	1424	csrss.exe	36
PID 1424 wrote to memory of 1476	1424	csrss.exe	37
PID 1424 wrote to memory of 1476	1424	csrss.exe	37
PID 1520 wrote to memory of 1476	1520	winlogon.exe	37
PID 1520 wrote to memory of 1476	1520	winlogon.exe	37
PID 1520 wrote to memory of 1476	1520	winlogon.exe	37
PID 1424 wrote to memory of 1476	1424	csrss.exe	37
PID 1424 wrote to memory of 1476	1424	csrss.exe	37
PID 1424 wrote to memory of 1476	1424	csrss.exe	37
PID 1424 wrote to memory of 752	1424	csrss.exe	39
PID 1424 wrote to memory of 752	1424	csrss.exe	39
PID 1476 wrote to memory of 752	1476	utilman.exe	39
PID 1476 wrote to memory of 752	1476	utilman.exe	39
PID 1476 wrote to memory of 752	1476	utilman.exe	39
PID 1424 wrote to memory of 1792	1424	csrss.exe	40
PID 1424 wrote to memory of 1792	1424	csrss.exe	40
PID 1476 wrote to memory of 1792	1476	utilman.exe	40
PID 1476 wrote to memory of 1792	1476	utilman.exe	40
PID 1476 wrote to memory of 1792	1476	utilman.exe	40
PID 1424 wrote to memory of 752	1424	csrss.exe	39
PID 1424 wrote to memory of 664	1424	csrss.exe	41
PID 1424 wrote to memory of 664	1424	csrss.exe	41
PID 1476 wrote to memory of 664	1476	utilman.exe	41
PID 1476 wrote to memory of 664	1476	utilman.exe	41
PID 1476 wrote to memory of 664	1476	utilman.exe	41
PID 1424 wrote to memory of 1792	1424	csrss.exe	40
PID 1424 wrote to memory of 1792	1424	csrss.exe	40
PID 1424 wrote to memory of 188	1424	csrss.exe	42
PID 1424 wrote to memory of 188	1424	csrss.exe	42
PID 1520 wrote to memory of 188	1520	winlogon.exe	42
PID 1520 wrote to memory of 188	1520	winlogon.exe	42
PID 1520 wrote to memory of 188	1520	winlogon.exe	42
PID 1424 wrote to memory of 188	1424	csrss.exe	42
PID 1424 wrote to memory of 1628	1424	csrss.exe	43
PID 1424 wrote to memory of 1628	1424	csrss.exe	43
PID 1424 wrote to memory of 1792	1424	csrss.exe	40
PID 1476 wrote to memory of 1628	1476	utilman.exe	43
PID 1476 wrote to memory of 1628	1476	utilman.exe	43
PID 1476 wrote to memory of 1628	1476	utilman.exe	43
PID 1424 wrote to memory of 664	1424	csrss.exe	41
PID 1424 wrote to memory of 532	1424	csrss.exe	44
PID 1424 wrote to memory of 532	1424	csrss.exe	44
PID 1476 wrote to memory of 532	1476	utilman.exe	44
PID 1476 wrote to memory of 532	1476	utilman.exe	44
PID 1476 wrote to memory of 532	1476	utilman.exe	44
PID 1424 wrote to memory of 532	1424	csrss.exe	44
PID 1424 wrote to memory of 1932	1424	csrss.exe	45
PID 1424 wrote to memory of 1932	1424	csrss.exe	45
PID 1476 wrote to memory of 1932	1476	utilman.exe	45
PID 1476 wrote to memory of 1932	1476	utilman.exe	45
PID 1476 wrote to memory of 1932	1476	utilman.exe	45
PID 1424 wrote to memory of 1932	1424	csrss.exe	45

C:\Users\Admin\AppData\Local\Temp\RMHOOK.exe
"C:\Users\Admin\AppData\Local\Temp\RMHOOK.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\System32\Narrator.exe
    "C:\Windows\System32\Narrator.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:752
- - C:\Windows\System32\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1792
- - C:\Windows\System32\Sethc.exe
    "C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
    3⤵
    PID:664
- - C:\Windows\System32\osk.exe
    "C:\Windows\System32\osk.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1628
- - C:\Windows\System32\Sethc.exe
    "C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
    3⤵
    PID:532
- - C:\Windows\System32\Sethc.exe
    "C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
    3⤵
    PID:1932
- C:\Windows\system32\sethc.exe
  sethc.exe 101
  2⤵
  - Modifies data under HKEY_USERS
  PID:188

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_766C81A2282241A7936EAC1B424CC035.dat

Filesize
940B

MD5
92507f3469038324d1ce7879cd4ff0c7

SHA1
b471cf8e3aafc92e437de8bc6bcd11e86cb1afbc

SHA256
c60c28ac8edaf1fa7ac7ad0e65c95716abacca280b5c6d28edfecd289cce7713

SHA512
70915a513b8f53c7796801623d4aef9bad4bc05b7713e4d37ada558bc63298f3380212cb233ff3003576a31faba85ab52da7a5c037b27bb9b173f7b8b14e5e9c

Download Submit
memory/752-94-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/752-176-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/752-177-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/752-64-0x0000000000A70000-0x0000000000B7A000-memory.dmp

Filesize
1.0MB

Download
memory/752-65-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/752-95-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/752-97-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/752-96-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/1056-55-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1056-56-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1056-54-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1476-91-0x0000000000880000-0x0000000000890000-memory.dmp

Filesize
64KB

Download
memory/1476-63-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1572-59-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1628-178-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1792-98-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2612-179-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/2736-181-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download