b2329e00ebf18e91e00112f8f4961709a6f4746acba5c9b1204b9911e6cb0361

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b51e6cf9a6d01fe8a29481e6d88db4.exe
Size

20KB
MD5

88b51e6cf9a6d01fe8a29481e6d88db4
SHA1

f0a965eac9a1f5b23060cd20b777ef4f64c5592d
SHA256

b2329e00ebf18e91e00112f8f4961709a6f4746acba5c9b1204b9911e6cb0361
SHA512

c9e1ff72b9a047afed2711d5f585903cc077caefa1c171eb35aa54d5860aabb3c6b2d0db94f8809f90f7fc609efc38b7b2b3035f57a7cde10576408985b46986
SSDEEP

192:Vop7pCNWij45z8/mR8+JBq2SiWvxCNWBE:6p7p+34VSmGMBciWveWO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Dsrss = "C:\\Windows\\System32\\Dsrss.exe"	88b51e6cf9a6d01fe8a29481e6d88db4.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dsrss.exe	88b51e6cf9a6d01fe8a29481e6d88db4.exe
File opened for modification	C:\Windows\SysWOW64\Dsrss.exe	88b51e6cf9a6d01fe8a29481e6d88db4.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2020	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	28
PID 2148 wrote to memory of 2020	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	28
PID 2148 wrote to memory of 2020	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	28
PID 2148 wrote to memory of 2020	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	28
PID 2148 wrote to memory of 2268	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	29
PID 2148 wrote to memory of 2268	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	29
PID 2148 wrote to memory of 2268	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	29
PID 2148 wrote to memory of 2268	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	29
PID 2148 wrote to memory of 2360	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	30
PID 2148 wrote to memory of 2360	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	30
PID 2148 wrote to memory of 2360	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	30
PID 2148 wrote to memory of 2360	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	30
PID 2020 wrote to memory of 2772	2020	net.exe	35
PID 2020 wrote to memory of 2772	2020	net.exe	35
PID 2020 wrote to memory of 2772	2020	net.exe	35
PID 2020 wrote to memory of 2772	2020	net.exe	35
PID 2268 wrote to memory of 2784	2268	net.exe	34
PID 2268 wrote to memory of 2784	2268	net.exe	34
PID 2268 wrote to memory of 2784	2268	net.exe	34
PID 2268 wrote to memory of 2784	2268	net.exe	34
PID 2360 wrote to memory of 2804	2360	net.exe	36
PID 2360 wrote to memory of 2804	2360	net.exe	36
PID 2360 wrote to memory of 2804	2360	net.exe	36
PID 2360 wrote to memory of 2804	2360	net.exe	36
PID 2148 wrote to memory of 3016	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	37
PID 2148 wrote to memory of 3016	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	37
PID 2148 wrote to memory of 3016	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	37
PID 2148 wrote to memory of 3016	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	37
PID 2148 wrote to memory of 2828	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	38
PID 2148 wrote to memory of 2828	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	38
PID 2148 wrote to memory of 2828	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	38
PID 2148 wrote to memory of 2828	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	38
PID 2148 wrote to memory of 2880	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	39
PID 2148 wrote to memory of 2880	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	39
PID 2148 wrote to memory of 2880	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	39
PID 2148 wrote to memory of 2880	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	39
PID 2828 wrote to memory of 2588	2828	net.exe	42
PID 2828 wrote to memory of 2588	2828	net.exe	42
PID 2828 wrote to memory of 2588	2828	net.exe	42
PID 2828 wrote to memory of 2588	2828	net.exe	42
PID 2880 wrote to memory of 2856	2880	net.exe	45
PID 2880 wrote to memory of 2856	2880	net.exe	45
PID 2880 wrote to memory of 2856	2880	net.exe	45
PID 2880 wrote to memory of 2856	2880	net.exe	45
PID 3016 wrote to memory of 2612	3016	net.exe	44
PID 3016 wrote to memory of 2612	3016	net.exe	44
PID 3016 wrote to memory of 2612	3016	net.exe	44
PID 3016 wrote to memory of 2612	3016	net.exe	44
PID 2148 wrote to memory of 2568	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	46
PID 2148 wrote to memory of 2568	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	46
PID 2148 wrote to memory of 2568	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	46
PID 2148 wrote to memory of 2568	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	46
PID 2148 wrote to memory of 2576	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	49
PID 2148 wrote to memory of 2576	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	49
PID 2148 wrote to memory of 2576	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	49
PID 2148 wrote to memory of 2576	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	49
PID 2148 wrote to memory of 2620	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	48
PID 2148 wrote to memory of 2620	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	48
PID 2148 wrote to memory of 2620	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	48
PID 2148 wrote to memory of 2620	2148	88b51e6cf9a6d01fe8a29481e6d88db4.exe	48
PID 2568 wrote to memory of 1396	2568	net.exe	52
PID 2568 wrote to memory of 1396	2568	net.exe	52
PID 2568 wrote to memory of 1396	2568	net.exe	52
PID 2568 wrote to memory of 1396	2568	net.exe	52

C:\Users\Admin\AppData\Local\Temp\88b51e6cf9a6d01fe8a29481e6d88db4.exe
"C:\Users\Admin\AppData\Local\Temp\88b51e6cf9a6d01fe8a29481e6d88db4.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2772
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2784
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2804
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2612
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2588
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2856
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1396
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:852
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2404
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1036
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:312
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1268
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:2000
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1984
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1568
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2920
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2232
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1520
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1960
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1240
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1432
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2432
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1632
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2052
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:2088
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:880
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1816
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:840
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1092
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:368
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:912
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:788
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2012
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1748
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1964
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1528
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2648
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:1616
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2776
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2804
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2412
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2856
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2676
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2864
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2584
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2568
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1708
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:336
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1532
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:2160
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2472
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1384
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2248
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2928
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2836
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1720
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2984
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1536
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2960
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1644
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2052
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:1256
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2236
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:840
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:848
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:368
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2500
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:960
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2012
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2028
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1624
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2516
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1772
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:888
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2808
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2768
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2780
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2864
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2032
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1548
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:3020
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2764
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2716
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2404
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2580
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:640
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1876
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1656
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1576
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2976
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:764
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
75B

MD5
6d37faf50cc819894275c8e9b8021b4b

SHA1
a12e36b2512707bc4d1d2148d6ac787bd5d31d8e

SHA256
420740bcc563b963a61938b936b6d23e6fdd44b668c2ea802787f16fd9b344b8

SHA512
1f45b4fbe8a2c424e3bf0bdaeac474143de9b2464dae14c323b54b4788afe835dd3ffa4d53c27db03df2b1a0f2164c60e297463fab2768abca444042292b18dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
75B

MD5
bbd2a2ce70906171aa1459c0de34be55

SHA1
455277d0e4170e1766f76ba63f787fdac46caffd

SHA256
b6c432ed88d996fe3d92173bc009a278fbd7e08b72e1eb20903ca3032e01d268

SHA512
d622749ace24a11afba00e530401aac2aa91c55d1617060c6c4c79717add857b0ec3bbefb87940dd82b83540a1d3e7a7e3f6e7d667b8b2e79e559a6911a7b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
75B

MD5
332a541fa41d683af316d7d8f28a2517

SHA1
b240ddf80314115b5585c86be098a6dd0b7b4f09

SHA256
634fde59babd842e1be6155a6bccc1f6c4375f0bc732ab65df10eb5850e804c7

SHA512
65087e46c204db3abe757cf1c4e4dffdc9f7729424a5e38560cb4d9cf2d0065eec5ee07df803cce0e03aa767d232fb36440f56f7d57b80b774cd0fe63a07e9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
75B

MD5
6e36ba0fe61f7c6334305d61299c04cf

SHA1
646aaf623a9b65f3054571ba8680342cf02b6225

SHA256
367467f43d580c3c07040a78c7890ae4262dad4778878f9a49d5f652c81689a5

SHA512
ee5d694d66bb3ee0d55129c96c83116e7af28b6838854d110cafe9dcb530fc05ef8b97469d7fe0c864481298fba5008c97eb2b503e90b58b1e33f8856cb132d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
48B

MD5
feab102903fa15865d4d842995f93417

SHA1
3ee8871201178b143ae875837d57f233b8c6bc67

SHA256
76c588daf6968af407ccd6e97b9e9cd97ac1d2064548e3a79c75e03494d14e08

SHA512
8e37f60fea351cb139ceb0dd0a7817af53585c81d89acd59cd7df83271b28b4e5e67042b69a129c55c4d84eb671603490824a2aac9a44e4ed4e12fa1b8c16c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
75B

MD5
f632839c4773814dbfbd1b331d4692a2

SHA1
0ad9cbfa511e71256e35f710c74397b01397367a

SHA256
f0e079040bb2ac2da016b9052ac0e165e0aa1889e3cfcf6c97b54400d4cb6080

SHA512
94a3cd536c36e45371a0ece7ae2d11c0c02d0ccff8d44da350eed78568e941a2c9c3aa77f01327442028ef0a6cab63e4db1c57a8c128db9203288316120c505c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
75B

MD5
b265eaf6486f5e45397b894e3a750ef4

SHA1
71e49f4f6cd5772db59397c0ca7eaf76782b98bc

SHA256
65f36db846177085fb6a01fc20de1f93cd25afa0e9abd8f5430f3b536ec174e3

SHA512
1c26315bf1c5f8351ab09cff8305c65b02eb8c6207b4573ed8581f526d3c5e7084b67419bff91622b92b73edbc498ac21b0bd7d5628eaa5ba513584a1fbfefb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
75B

MD5
2c2865e06cdb6443249965bd29f5a3a2

SHA1
93db66e0e51670129fe599a0921f8f7f42d4bf22

SHA256
027de5bf096f13a7354ef6c4cc454b82e8652fb405735672c14dc4f147702f68

SHA512
e45f5e2f9409c00f6bdba5ba37a26d63f71dba84314c359e837b312e6359db3950442fe8155bef59cc825884a8537903e8b86484ca0f9c646c959e933e1e2cbd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads