56bc30e99a76192e7c58678c9ea2df05fe524be0aa8e7d5db2aaf8fbaf76a200

Analysis

max time kernel
2s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59bc15ce4dccd35ab21625a6bda720a9.exe
Size

1020KB
MD5

59bc15ce4dccd35ab21625a6bda720a9
SHA1

404dfdcde677387314e4cebb5e41cd151a76946e
SHA256

56bc30e99a76192e7c58678c9ea2df05fe524be0aa8e7d5db2aaf8fbaf76a200
SHA512

a9b0741e9fa9aa9f1333cdf3d92cb79fc0ff3c4614ab599db10182bedab91473f8244c90dab48fa03eecf215be07d4e54fc0195e7a8e82cec508816a9e96d3de
SSDEEP

12288:Y7HEcbV+K3FuzGIwo2Zn83uh6y7rCQTrl87+kE3E/:Y7HEcbV1FPo2Z8+h60uQTrl87+k5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2192	csrss.exe
2228	csrss.exe
5072	mfnspinst32.exe

Loads dropped DLL 1 IoCs

pid	Process
4612	svchost.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfnsp32.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\run.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnhks32.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnspinst32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfnsvc.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\sslmgr.exe	csrss.exe
File created	C:\Windows\SysWOW64\tmp788632.tmp	59bc15ce4dccd35ab21625a6bda720a9.exe
File created	C:\Windows\SysWOW64\tmp295956.tmp	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mfncom.dll	csrss.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1128	taskkill.exe
836	taskkill.exe
2836	taskkill.exe
5084	taskkill.exe
4052	taskkill.exe
3512	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\mfncom.DLL	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\FLAGS\ = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\ = "mfncom 1.0 Type Library"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ProxyStubClsid32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl.1\CLSID\ = "{FD39B45D-9616-4615-8E68-D99FC6472C6C}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib\Version = "1.0"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}\ = "mfncom"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\HELPDIR	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib\Version = "1.0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\ProxyStubClsid32	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\0	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\0\win32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\ = "IMFNHTTPCtrlDispEvents"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\InprocServer32	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib\Version = "1.0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ProgID\ = "mfncom.MFNHTTPCtrl.1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib\Version = "1.0"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\mfncom.DLL\AppID = "{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl.1\ = "MFNHTTPCtrl Class"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\InprocServer32\ = "C:\\Windows\\SysWow64\\mfncom.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\ = "IMFNHTTPCtrlDispEvents"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl.1\CLSID	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\FLAGS	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\ProxyStubClsid32	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\TypeLib	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\CLSID	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\CurVer\ = "mfncom.MFNHTTPCtrl.1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\VersionIndependentProgID\ = "mfncom.MFNHTTPCtrl"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ = "IMFNHTTPCtrl"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl.1	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\ = "MFNHTTPCtrl Class"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\Programmable	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\TypeLib\ = "{73B91E0B-252F-4776-9766-18A8A8775788}"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CFADADE-AF49-4E77-91EE-FE20037589C9}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mfncom.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73B91E0B-252F-4776-9766-18A8A8775788}\1.0\HELPDIR\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ProxyStubClsid32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1782E3A4-71BF-4B77-9B36-BC98CFD51C67}\ = "IMFNHTTPCtrl"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6CBA02B2-40D4-4AF6-B2D6-7E5AD43439F9}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\CurVer	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\ = "MFNHTTPCtrl Class"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD39B45D-9616-4615-8E68-D99FC6472C6C}\VersionIndependentProgID	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfncom.MFNHTTPCtrl\CLSID\ = "{FD39B45D-9616-4615-8E68-D99FC6472C6C}"	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2192	csrss.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2884	59bc15ce4dccd35ab21625a6bda720a9.exe
2192	csrss.exe
2228	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2192	2884	59bc15ce4dccd35ab21625a6bda720a9.exe	21
PID 2884 wrote to memory of 2192	2884	59bc15ce4dccd35ab21625a6bda720a9.exe	21
PID 2884 wrote to memory of 2192	2884	59bc15ce4dccd35ab21625a6bda720a9.exe	21
PID 2192 wrote to memory of 2228	2192	csrss.exe	19
PID 2192 wrote to memory of 2228	2192	csrss.exe	19
PID 2192 wrote to memory of 2228	2192	csrss.exe	19
PID 2192 wrote to memory of 1128	2192	csrss.exe	55
PID 2192 wrote to memory of 1128	2192	csrss.exe	55
PID 2192 wrote to memory of 1128	2192	csrss.exe	55
PID 2192 wrote to memory of 4612	2192	csrss.exe	149
PID 2192 wrote to memory of 4612	2192	csrss.exe	149
PID 2192 wrote to memory of 4612	2192	csrss.exe	149
PID 2192 wrote to memory of 5072	2192	csrss.exe	53
PID 2192 wrote to memory of 5072	2192	csrss.exe	53
PID 2192 wrote to memory of 5072	2192	csrss.exe	53

C:\Users\Admin\AppData\Local\Temp\59bc15ce4dccd35ab21625a6bda720a9.exe
"C:\Users\Admin\AppData\Local\Temp\59bc15ce4dccd35ab21625a6bda720a9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  C:\Users\Admin\AppData\Local\Temp\csrss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 C:\Windows\system32\mfncom.dll /s
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\mfnsvc.exe
    C:\Windows\system32\mfnsvc.exe /install
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /IM sslmgr.exe /F
    3⤵
    - Kills process with taskkill
    PID:3512
- - C:\Windows\SysWOW64\mfnspinst32.exe
    C:\Windows\system32\mfnspinst32.exe /install "NOD32" "C:\Windows\system32\mfnsp32.dll"
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /IM msconfig.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /IM sslmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:836
  - - C:\Windows\SysWOW64\mfnsvc.exe
      C:\Windows\system32\mfnsvc.exe /install
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\mfnspinst32.exe
      C:\Windows\system32\mfnspinst32.exe /install "NOD32" "C:\Windows\system32\mfnsp32.dll"
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 C:\Windows\system32\mfncom.dll /s
      4⤵
      PID:3360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\nod32krn.exe
      C:\Windows\system32\nod32krn.exe
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\nod32krn.exe
      C:\Windows\system32\nod32krn.exe
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\sslmgr.exe
      C:\Windows\system32\sslmgr.exe
      4⤵
      PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:316
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      PID:3612
- - C:\Windows\SysWOW64\sslmgr.exe
    C:\Windows\system32\sslmgr.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:436
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:836
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:396
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:952
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\nod32krn.exe
    C:\Windows\system32\nod32krn.exe
    3⤵
    PID:4492
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /IM sslmgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:5084
- C:\Windows\SysWOW64\mfnsvc.exe
  C:\Windows\system32\mfnsvc.exe /install
  2⤵
  PID:956
- C:\Windows\SysWOW64\mfnspinst32.exe
  C:\Windows\system32\mfnspinst32.exe /install "NOD32" "C:\Windows\system32\mfnsp32.dll"
  2⤵
  PID:1432
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\system32\mfncom.dll /s
  2⤵
  PID:1420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /IM msconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:4052
- C:\Windows\SysWOW64\nod32krn.exe
  C:\Windows\system32\nod32krn.exe
  2⤵
  PID:4080
- C:\Windows\SysWOW64\nod32krn.exe
  C:\Windows\system32\nod32krn.exe
  2⤵
  PID:3156
- C:\Windows\SysWOW64\sslmgr.exe
  C:\Windows\system32\sslmgr.exe
  2⤵
  PID:2628

C:\Users\Admin\AppData\Local\Temp\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Windows\SysWOW64\mfnsvc.exe
C:\Windows\SysWOW64\mfnsvc.exe
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Loads dropped DLL
- Modifies registry class
PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-308-0x0000000003A00000-0x0000000003A55000-memory.dmp

Filesize
340KB

Download
memory/2884-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download