56bc30e99a76192e7c58678c9ea2df05fe524be0aa8e7d5db2aaf8fbaf76a200

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59bc15ce4dccd35ab21625a6bda720a9.exe
Size

1020KB
MD5

59bc15ce4dccd35ab21625a6bda720a9
SHA1

404dfdcde677387314e4cebb5e41cd151a76946e
SHA256

56bc30e99a76192e7c58678c9ea2df05fe524be0aa8e7d5db2aaf8fbaf76a200
SHA512

a9b0741e9fa9aa9f1333cdf3d92cb79fc0ff3c4614ab599db10182bedab91473f8244c90dab48fa03eecf215be07d4e54fc0195e7a8e82cec508816a9e96d3de
SSDEEP

12288:Y7HEcbV+K3FuzGIwo2Zn83uh6y7rCQTrl87+kE3E/:Y7HEcbV1FPo2Z8+h60uQTrl87+k5

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1752	csrss.exe
2140	csrss.exe
2628	mfnspinst32.exe
2644	mfnsvc.exe
2480	mfnsvc.exe
1724	mfnspinst32.exe
1928	mfnsvc.exe
2784	sslmgr.exe
1524	nod32krn.exe
2844	csrss.exe
384	mfnspinst32.exe
572	mfnsvc.exe
1816	sslmgr.exe
2432	nod32krn.exe
768	nod32krn.exe
2424	sslmgr.exe
2324	nod32krn.exe
1184	nod32krn.exe
2268	nod32krn.exe
2516	nod32krn.exe
1964	csrss.exe
1776	nod32krn.exe
1108	nod32krn.exe
1600	csrss.exe
2060	nod32krn.exe
2656	nod32krn.exe
844	csrss.exe
1232	nod32krn.exe
776	nod32krn.exe
2072	nod32krn.exe
1744	nod32krn.exe
2120	nod32krn.exe
1044	csrss.exe
1924	nod32krn.exe
952	nod32krn.exe
1324	csrss.exe
2880	nod32krn.exe
2712	nod32krn.exe
1896	csrss.exe
2968	nod32krn.exe
2024	nod32krn.exe
2972	csrss.exe
1452	nod32krn.exe
2832	nod32krn.exe
1824	csrss.exe
2676	nod32krn.exe
1568	nod32krn.exe
2352	csrss.exe
792	nod32krn.exe
324	nod32krn.exe
2164	csrss.exe
2376	nod32krn.exe
1028	nod32krn.exe
780	csrss.exe
2072	nod32krn.exe
2536	nod32krn.exe
2580	csrss.exe
2896	nod32krn.exe
2084	nod32krn.exe
2960	csrss.exe
1652	nod32krn.exe
1244	nod32krn.exe
1468	csrss.exe
2684	nod32krn.exe

Loads dropped DLL 64 IoCs

pid	Process
1044	59bc15ce4dccd35ab21625a6bda720a9.exe
1044	59bc15ce4dccd35ab21625a6bda720a9.exe
1752	csrss.exe
2692	regsvr32.exe
1752	csrss.exe
2628	mfnspinst32.exe
2628	mfnspinst32.exe
1752	csrss.exe
1712	regsvr32.exe
1044	csrss.exe
1724	mfnspinst32.exe
1044	csrss.exe
1752	csrss.exe
1752	csrss.exe
2784	sslmgr.exe
1752	csrss.exe
1752	csrss.exe
1524	nod32krn.exe
1524	nod32krn.exe
2340	regsvr32.exe
1524	nod32krn.exe
384	mfnspinst32.exe
1524	nod32krn.exe
1044	csrss.exe
1044	csrss.exe
1816	sslmgr.exe
1044	csrss.exe
1044	csrss.exe
1044	csrss.exe
1044	csrss.exe
1524	nod32krn.exe
1524	nod32krn.exe
2424	sslmgr.exe
1752	csrss.exe
1752	csrss.exe
1752	csrss.exe
1752	csrss.exe
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe
1752	csrss.exe
1752	csrss.exe
1752	csrss.exe
1752	csrss.exe
1524	nod32krn.exe
1524	nod32krn.exe
1752	csrss.exe
1752	csrss.exe
1752	csrss.exe
1752	csrss.exe
1524	nod32krn.exe
1524	nod32krn.exe
1752	csrss.exe
1752	csrss.exe
1752	csrss.exe
1752	csrss.exe
1524	nod32krn.exe
1524	nod32krn.exe
1752	csrss.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\run %1 %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\run %1 %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nod32krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\run %1 %*"	nod32krn.exe

Drops autorun.inf file 1 TTPs 12 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	csrss.exe
File opened for modification	C:\autorun.inf	csrss.exe
File created	F:\autorun.inf	csrss.exe
File opened for modification	C:\autorun.inf	nod32krn.exe
File opened for modification	F:\autorun.inf	csrss.exe
File created	C:\autorun.inf	csrss.exe
File opened for modification	C:\autorun.inf	csrss.exe
File created	F:\autorun.inf	csrss.exe
File opened for modification	F:\autorun.inf	csrss.exe
File created	C:\autorun.inf	nod32krn.exe
File created	F:\autorun.inf	nod32krn.exe
File opened for modification	F:\autorun.inf	nod32krn.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfncom.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfncom.dll	nod32krn.exe
File opened for modification	C:\Windows\SysWOW64\mfnhks32.dll	nod32krn.exe
File opened for modification	C:\Windows\SysWOW64\isult.dll	sslmgr.exe
File opened for modification	C:\Windows\SysWOW64\sslmgr.exe	nod32krn.exe
File opened for modification	C:\Windows\SysWOW64\isult.dll	sslmgr.exe
File created	C:\Windows\SysWOW64\tmp910671.tmp	59bc15ce4dccd35ab21625a6bda720a9.exe
File opened for modification	C:\Windows\SysWOW64\mfnsp32.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\sslmgr.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\run.exe	nod32krn.exe
File opened for modification	C:\Windows\SysWOW64\run.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\nod32krn.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnsvc.exe	nod32krn.exe
File opened for modification	C:\Windows\SysWOW64\mfnspinst32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnsvc.exe	csrss.exe
File created	C:\Windows\SysWOW64\tmp661236.tmp	nod32krn.exe
File opened for modification	C:\Windows\SysWOW64\mfnhks32.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnsp32.dll	nod32krn.exe
File created	C:\Windows\SysWOW64\tmp420925.tmp	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfncom.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnsp32.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnspinst32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\sslmgr.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\isult.dll	sslmgr.exe
File opened for modification	C:\Windows\SysWOW64\nod32krn.exe	nod32krn.exe
File opened for modification	C:\Windows\SysWOW64\mfnspinst32.exe	nod32krn.exe
File opened for modification	C:\Windows\SysWOW64\nod32krn.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnhks32.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnsvc.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\run.exe	csrss.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1776	taskkill.exe
3060	taskkill.exe
2620	taskkill.exe
112	taskkill.exe
2156	taskkill.exe
2556	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID\ = "mfncom.MFNHTTPCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\AppID = "{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}\ = "mfncom"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\run %1 %*"	nod32krn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl.1\ = "MFNHTTPCtrl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\mfncom.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\InprocServer32\ = "C:\\Windows\\SysWow64\\mfncom.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\AppID = "{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\CurVer\ = "mfncom.MFNHTTPCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\ = "MFNHTTPCtrl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\CLSID\ = "{FD39B45D-9616-4615-8E68-D99FC6472C6C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ = "MFNHTTPCtrl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID\ = "mfncom.MFNHTTPCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\mfncom.DLL\AppID = "{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\mfncom.DLL\AppID = "{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\VersionIndependentProgID\ = "mfncom.MFNHTTPCtrl"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl.1\CLSID\ = "{FD39B45D-9616-4615-8E68-D99FC6472C6C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ = "MFNHTTPCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\CLSID\ = "{FD39B45D-9616-4615-8E68-D99FC6472C6C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID\ = "mfncom.MFNHTTPCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ = "IMFNHTTPCtrl"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\CLSID\ = "{FD39B45D-9616-4615-8E68-D99FC6472C6C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\run %1 %*"	csrss.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe
1524	nod32krn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	1776	nod32krn.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1752	csrss.exe
1044	csrss.exe
1524	nod32krn.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
1044	59bc15ce4dccd35ab21625a6bda720a9.exe
1752	csrss.exe
2140	csrss.exe
1524	nod32krn.exe
2844	csrss.exe
2432	nod32krn.exe
768	nod32krn.exe
2324	nod32krn.exe
1184	nod32krn.exe
2268	nod32krn.exe
2516	nod32krn.exe
1964	csrss.exe
1776	nod32krn.exe
1108	nod32krn.exe
1600	csrss.exe
2060	nod32krn.exe
2656	nod32krn.exe
844	csrss.exe
1232	nod32krn.exe
776	nod32krn.exe
2072	nod32krn.exe
1744	nod32krn.exe
2120	nod32krn.exe
1044	csrss.exe
1924	nod32krn.exe
952	nod32krn.exe
1324	csrss.exe
2880	nod32krn.exe
2712	nod32krn.exe
1896	csrss.exe
2968	nod32krn.exe
2024	nod32krn.exe
2972	csrss.exe
1452	nod32krn.exe
2832	nod32krn.exe
1824	csrss.exe
2676	nod32krn.exe
1568	nod32krn.exe
2352	csrss.exe
792	nod32krn.exe
324	nod32krn.exe
2164	csrss.exe
2376	nod32krn.exe
1028	nod32krn.exe
780	csrss.exe
2072	nod32krn.exe
2536	nod32krn.exe
2580	csrss.exe
2896	nod32krn.exe
2084	nod32krn.exe
2960	csrss.exe
1652	nod32krn.exe
1244	nod32krn.exe
1468	csrss.exe
2684	nod32krn.exe
2732	nod32krn.exe
2220	csrss.exe
1256	nod32krn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1752	1044	59bc15ce4dccd35ab21625a6bda720a9.exe	17
PID 1044 wrote to memory of 1752	1044	59bc15ce4dccd35ab21625a6bda720a9.exe	17
PID 1044 wrote to memory of 1752	1044	59bc15ce4dccd35ab21625a6bda720a9.exe	17
PID 1044 wrote to memory of 1752	1044	59bc15ce4dccd35ab21625a6bda720a9.exe	17
PID 1752 wrote to memory of 2140	1752	csrss.exe	16
PID 1752 wrote to memory of 2140	1752	csrss.exe	16
PID 1752 wrote to memory of 2140	1752	csrss.exe	16
PID 1752 wrote to memory of 2140	1752	csrss.exe	16
PID 1752 wrote to memory of 2620	1752	csrss.exe	45
PID 1752 wrote to memory of 2620	1752	csrss.exe	45
PID 1752 wrote to memory of 2620	1752	csrss.exe	45
PID 1752 wrote to memory of 2620	1752	csrss.exe	45
PID 1752 wrote to memory of 2692	1752	csrss.exe	30
PID 1752 wrote to memory of 2692	1752	csrss.exe	30
PID 1752 wrote to memory of 2692	1752	csrss.exe	30
PID 1752 wrote to memory of 2692	1752	csrss.exe	30
PID 1752 wrote to memory of 2692	1752	csrss.exe	30
PID 1752 wrote to memory of 2692	1752	csrss.exe	30
PID 1752 wrote to memory of 2692	1752	csrss.exe	30
PID 1752 wrote to memory of 2628	1752	csrss.exe	44
PID 1752 wrote to memory of 2628	1752	csrss.exe	44
PID 1752 wrote to memory of 2628	1752	csrss.exe	44
PID 1752 wrote to memory of 2628	1752	csrss.exe	44
PID 1752 wrote to memory of 2628	1752	csrss.exe	44
PID 1752 wrote to memory of 2628	1752	csrss.exe	44
PID 1752 wrote to memory of 2628	1752	csrss.exe	44
PID 1752 wrote to memory of 2644	1752	csrss.exe	42
PID 1752 wrote to memory of 2644	1752	csrss.exe	42
PID 1752 wrote to memory of 2644	1752	csrss.exe	42
PID 1752 wrote to memory of 2644	1752	csrss.exe	42
PID 1752 wrote to memory of 2556	1752	csrss.exe	33
PID 1752 wrote to memory of 2556	1752	csrss.exe	33
PID 1752 wrote to memory of 2556	1752	csrss.exe	33
PID 1752 wrote to memory of 2556	1752	csrss.exe	33
PID 1044 wrote to memory of 3060	1044	csrss.exe	41
PID 1044 wrote to memory of 3060	1044	csrss.exe	41
PID 1044 wrote to memory of 3060	1044	csrss.exe	41
PID 1044 wrote to memory of 3060	1044	csrss.exe	41
PID 1044 wrote to memory of 1712	1044	csrss.exe	39
PID 1044 wrote to memory of 1712	1044	csrss.exe	39
PID 1044 wrote to memory of 1712	1044	csrss.exe	39
PID 1044 wrote to memory of 1712	1044	csrss.exe	39
PID 1044 wrote to memory of 1712	1044	csrss.exe	39
PID 1044 wrote to memory of 1712	1044	csrss.exe	39
PID 1044 wrote to memory of 1712	1044	csrss.exe	39
PID 1044 wrote to memory of 1724	1044	csrss.exe	38
PID 1044 wrote to memory of 1724	1044	csrss.exe	38
PID 1044 wrote to memory of 1724	1044	csrss.exe	38
PID 1044 wrote to memory of 1724	1044	csrss.exe	38
PID 1044 wrote to memory of 1724	1044	csrss.exe	38
PID 1044 wrote to memory of 1724	1044	csrss.exe	38
PID 1044 wrote to memory of 1724	1044	csrss.exe	38
PID 1044 wrote to memory of 1928	1044	csrss.exe	37
PID 1044 wrote to memory of 1928	1044	csrss.exe	37
PID 1044 wrote to memory of 1928	1044	csrss.exe	37
PID 1044 wrote to memory of 1928	1044	csrss.exe	37
PID 1044 wrote to memory of 1776	1044	csrss.exe	65
PID 1044 wrote to memory of 1776	1044	csrss.exe	65
PID 1044 wrote to memory of 1776	1044	csrss.exe	65
PID 1044 wrote to memory of 1776	1044	csrss.exe	65
PID 1752 wrote to memory of 2784	1752	csrss.exe	58
PID 1752 wrote to memory of 2784	1752	csrss.exe	58
PID 1752 wrote to memory of 2784	1752	csrss.exe	58
PID 1752 wrote to memory of 2784	1752	csrss.exe	58

C:\Users\Admin\AppData\Local\Temp\59bc15ce4dccd35ab21625a6bda720a9.exe
"C:\Users\Admin\AppData\Local\Temp\59bc15ce4dccd35ab21625a6bda720a9.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  C:\Users\Admin\AppData\Local\Temp\csrss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 C:\Windows\system32\mfncom.dll /s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /IM sslmgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\SysWOW64\mfnsvc.exe
    C:\Windows\system32\mfnsvc.exe /install
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Windows\SysWOW64\mfnspinst32.exe
    C:\Windows\system32\mfnspinst32.exe /install "NOD32" "C:\Windows\system32\mfnsp32.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /IM msconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1524
  - - C:\Windows\SysWOW64\sslmgr.exe
      C:\Windows\system32\sslmgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2424
  - - C:\Windows\SysWOW64\nod32krn.exe
      C:\Windows\system32\nod32krn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1964
  - - C:\Windows\SysWOW64\nod32krn.exe
      C:\Windows\system32\nod32krn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:844
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops autorun.inf file
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:780
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2220
- - C:\Windows\SysWOW64\sslmgr.exe
    C:\Windows\system32\sslmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2784
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2324
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1184
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1776
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1108
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2060
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2656
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1232
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:776
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1744
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2120
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1924
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:952
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2880
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2024
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1452
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2832
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1568
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:792
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:324
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2376
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1028
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2072
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2536
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2084
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1652
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1244
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2684
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2732
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /IM sslmgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:1776
- C:\Windows\SysWOW64\mfnsvc.exe
  C:\Windows\system32\mfnsvc.exe /install
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\SysWOW64\mfnspinst32.exe
  C:\Windows\system32\mfnspinst32.exe /install "NOD32" "C:\Windows\system32\mfnsp32.dll"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1724
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\system32\mfncom.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /IM msconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\SysWOW64\nod32krn.exe
  C:\Windows\system32\nod32krn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:768
- C:\Windows\SysWOW64\nod32krn.exe
  C:\Windows\system32\nod32krn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Windows\SysWOW64\sslmgr.exe
  C:\Windows\system32\sslmgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1816

C:\Users\Admin\AppData\Local\Temp\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Windows\SysWOW64\mfnsvc.exe
C:\Windows\SysWOW64\mfnsvc.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /IM sslmgr.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\SysWOW64\mfnsvc.exe
C:\Windows\system32\mfnsvc.exe /install
1⤵
- Executes dropped EXE
PID:572

C:\Windows\SysWOW64\mfnspinst32.exe
C:\Windows\system32\mfnspinst32.exe /install "NOD32" "C:\Windows\system32\mfnsp32.dll"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\Windows\system32\mfncom.dll /s
1⤵
- Loads dropped DLL
- Modifies registry class
PID:2340

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /IM msconfig.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\mfncom.dll

Filesize
172KB

MD5
02072e69843b39a070f4b492b05153ef

SHA1
65a69924d65dad1bd5b2933d5971441dc27109c7

SHA256
9e4f261cab18c4437c8371f98a9a6b7aae04ed0c98154c0946a9990fe668ff21

SHA512
552e625e5fed58d9421ce94f220bdf89bdadf86684ca1dd8e5db7b3fe491ea16709ef9fb398e89189887d534552f510b5bb6f4195385c6d9c9ae750499c72aa0

Download Submit
\Windows\SysWOW64\mfnspinst32.exe

Filesize
76KB

MD5
c64c5b6d412245c09c15ea5e7bb6b910

SHA1
c94a7362d5cd34d3d6efa6acf0604121ffe820e0

SHA256
46b310fab7e432978ccef1b9a9307e05360b2c07ef4a5eb8a5679416c4b98e97

SHA512
e9afd2b288f0f0d6f45d69a527f729a60fe52b25f183010ce9b329e5a4d0a98ff3b4220c5ff9206201aa436eada21c6b088e71ffed1032ea3db631bd24bb4605

Download Submit
memory/1044-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1524-297-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1524-296-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1524-295-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/1524-294-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/1524-293-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/1524-289-0x0000000002E40000-0x0000000002E95000-memory.dmp

Filesize
340KB

Download