b2329e00ebf18e91e00112f8f4961709a6f4746acba5c9b1204b9911e6cb0361

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b51e6cf9a6d01fe8a29481e6d88db4.exe
Size

20KB
MD5

88b51e6cf9a6d01fe8a29481e6d88db4
SHA1

f0a965eac9a1f5b23060cd20b777ef4f64c5592d
SHA256

b2329e00ebf18e91e00112f8f4961709a6f4746acba5c9b1204b9911e6cb0361
SHA512

c9e1ff72b9a047afed2711d5f585903cc077caefa1c171eb35aa54d5860aabb3c6b2d0db94f8809f90f7fc609efc38b7b2b3035f57a7cde10576408985b46986
SSDEEP

192:Vop7pCNWij45z8/mR8+JBq2SiWvxCNWBE:6p7p+34VSmGMBciWveWO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Dsrss = "C:\\Windows\\System32\\Dsrss.exe"	88b51e6cf9a6d01fe8a29481e6d88db4.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dsrss.exe	88b51e6cf9a6d01fe8a29481e6d88db4.exe
File opened for modification	C:\Windows\SysWOW64\Dsrss.exe	88b51e6cf9a6d01fe8a29481e6d88db4.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4532	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	84
PID 3720 wrote to memory of 4532	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	84
PID 3720 wrote to memory of 4532	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	84
PID 3720 wrote to memory of 3432	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	86
PID 3720 wrote to memory of 3432	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	86
PID 3720 wrote to memory of 3432	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	86
PID 3720 wrote to memory of 2296	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	85
PID 3720 wrote to memory of 2296	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	85
PID 3720 wrote to memory of 2296	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	85
PID 4532 wrote to memory of 1836	4532	net.exe	91
PID 4532 wrote to memory of 1836	4532	net.exe	91
PID 4532 wrote to memory of 1836	4532	net.exe	91
PID 2296 wrote to memory of 1392	2296	net.exe	90
PID 2296 wrote to memory of 1392	2296	net.exe	90
PID 2296 wrote to memory of 1392	2296	net.exe	90
PID 3432 wrote to memory of 4524	3432	net.exe	92
PID 3432 wrote to memory of 4524	3432	net.exe	92
PID 3432 wrote to memory of 4524	3432	net.exe	92
PID 3720 wrote to memory of 2132	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	97
PID 3720 wrote to memory of 2132	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	97
PID 3720 wrote to memory of 2132	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	97
PID 3720 wrote to memory of 1656	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	98
PID 3720 wrote to memory of 1656	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	98
PID 3720 wrote to memory of 1656	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	98
PID 3720 wrote to memory of 5088	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	99
PID 3720 wrote to memory of 5088	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	99
PID 3720 wrote to memory of 5088	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	99
PID 1656 wrote to memory of 2924	1656	net.exe	103
PID 1656 wrote to memory of 2924	1656	net.exe	103
PID 1656 wrote to memory of 2924	1656	net.exe	103
PID 5088 wrote to memory of 560	5088	net.exe	104
PID 5088 wrote to memory of 560	5088	net.exe	104
PID 5088 wrote to memory of 560	5088	net.exe	104
PID 2132 wrote to memory of 3680	2132	net.exe	105
PID 2132 wrote to memory of 3680	2132	net.exe	105
PID 2132 wrote to memory of 3680	2132	net.exe	105
PID 3720 wrote to memory of 4432	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	107
PID 3720 wrote to memory of 4432	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	107
PID 3720 wrote to memory of 4432	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	107
PID 3720 wrote to memory of 3080	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	112
PID 3720 wrote to memory of 3080	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	112
PID 3720 wrote to memory of 3080	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	112
PID 3720 wrote to memory of 4396	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	109
PID 3720 wrote to memory of 4396	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	109
PID 3720 wrote to memory of 4396	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	109
PID 4432 wrote to memory of 932	4432	net.exe	113
PID 4432 wrote to memory of 932	4432	net.exe	113
PID 4432 wrote to memory of 932	4432	net.exe	113
PID 4396 wrote to memory of 2928	4396	net.exe	115
PID 4396 wrote to memory of 2928	4396	net.exe	115
PID 4396 wrote to memory of 2928	4396	net.exe	115
PID 3080 wrote to memory of 2840	3080	net.exe	114
PID 3080 wrote to memory of 2840	3080	net.exe	114
PID 3080 wrote to memory of 2840	3080	net.exe	114
PID 3720 wrote to memory of 5116	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	118
PID 3720 wrote to memory of 5116	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	118
PID 3720 wrote to memory of 5116	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	118
PID 3720 wrote to memory of 4048	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	119
PID 3720 wrote to memory of 4048	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	119
PID 3720 wrote to memory of 4048	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	119
PID 3720 wrote to memory of 4988	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	120
PID 3720 wrote to memory of 4988	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	120
PID 3720 wrote to memory of 4988	3720	88b51e6cf9a6d01fe8a29481e6d88db4.exe	120
PID 5116 wrote to memory of 3136	5116	net.exe	124

C:\Users\Admin\AppData\Local\Temp\88b51e6cf9a6d01fe8a29481e6d88db4.exe
"C:\Users\Admin\AppData\Local\Temp\88b51e6cf9a6d01fe8a29481e6d88db4.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1836
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1392
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:4524
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:3680
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2924
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:560
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:932
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2928
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2840
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:3136
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1036
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:5064
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1584
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:3880
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:5112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2084
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1000
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2296
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1140
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1220
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:4480
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:644
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1604
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:520
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2128
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:4264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2676
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:4440
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:4748
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:4432
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:3976
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:3080
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2192
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2936
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4028
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2136
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:3412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:4752
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:1532
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:232
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1936
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:556
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:4828
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:4556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:3320
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4380
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:872
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:4044
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4776
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:3656
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1912
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4788
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1400
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:932
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:3164
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2192
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4672
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:3108
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:4064
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2144
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1264
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:3404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:3412
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4684
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2104
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:4996
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2600
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:540
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1928
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4848
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2420
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:4580
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:2540
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:3632
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:628
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:3360
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4928
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1528
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:880
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:932
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:972
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:3164
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:3352
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:3884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:3936
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4560
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1832
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:4840
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:2104
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:3524
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4332
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:2856
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:516
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:812
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:3520
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:3392
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 iedkcs32.dll,CloseRASConnections
  2⤵
  PID:2992
- C:\Windows\SysWOW64\net.exe
  net stop "mcshield"
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcshield"
    3⤵
    PID:4220
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2860
- C:\Windows\SysWOW64\net.exe
  net stop "Norton Antivirus Auto Protect Service"
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
    3⤵
    PID:1220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "mcshield"
1⤵
PID:1096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Norton Antivirus Auto Protect Service"
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
75B

MD5
960022b2443fa9ec71d013677289de8a

SHA1
d46e01f40232fcb9f6abe76469e4755532fa6fd4

SHA256
78a1ebbade2f59bdfd3f13e7f3238fed38a4e37d393c8e5d9d59bb64f67777ee

SHA512
937157711989e38dc64805bc3cbca4e9cb7b65c3eee5dec4339a46c94de72e51d9cc422669d54e06b6f7cd5eda4fcfa80195e915bc37b2546cc01e342d8a4d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
75B

MD5
22702b0d5ae59f9a03e8a3dcbb23fde0

SHA1
af6a32bd4df535c703650275f6b509b7cd184285

SHA256
e79b396d4637fcea60efa9e5dda0346eed8024380adadf7b2b4c38354e9937a6

SHA512
c4a317b359eb951c84ef157cc70311f4babd3746c45ee8c3d676deb10ccdf2550a693a178397dc13ba086f58191ee3d592349284efacf2bc81654afe01893593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
75B

MD5
249fb5443c57adc656f7b13d4d52c708

SHA1
2dffecbce3d6bca506247cbfe5a9dfb65b1f93ab

SHA256
0a132798dea7d83f26c50649195b3835a9450ca740170ec72011ad977c771887

SHA512
96b9d8ea6a22a418bdc06274f5d7ee87fb2d9d383c13145eeedb8af95883a70e421514aca9bcd9aa401ce70918145be7b50a6bb179a01dd5280d291e0f5e3b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
75B

MD5
0e6f08f065c90be561774cc07903249c

SHA1
af6f6ceed99aac1865fc51bbcdf4d430e14ec48e

SHA256
4520c449996125b1d75443873a4a9151f1c16828fc08139348622c489842534c

SHA512
442d3b89e4194dac77e859ff47dc7b1106508b00a8b8b333e28b43c652109449f61d43297246319788ebb67efa211dfa56e02c51891feef96865c693ea7ab50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
48B

MD5
cbd4b408ffd75709565535e93f37fe79

SHA1
2eae2d381a0f8b7fbb18ecb0e683ddeb0e837899

SHA256
9675b1e10044e1438b114ffa48dc646b29192f8ff92bc3204988ea3c14136076

SHA512
17e9c028da89f503f2dc901d2cbdc1c45b88ba605c6eaf4520038f19056acefd3bc1386e22b9819c437d80884dd5d8c5a6a68e3471439bdc1dc1cd3df11bb1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
48B

MD5
24ce198f67ee9d083b9993f8e4da4e42

SHA1
7ea83c763ae2ba029d49ea871dc517b12bb27cab

SHA256
693e0555da273106ed80096f9f564930309e76842e6ab788e53234248c1dbf0e

SHA512
d85eeedcedff57c213a29094ce5a1e769dd1a40b46281ff6510e2875ec553ce8e2771a5a09a879c9d012fa92871b78ce7c8243af6c321c696537db01e9680d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
75B

MD5
5262067475ad939da865ddeb2054d180

SHA1
307bab55b2272c8295f4c2f65e5f27209291f1a2

SHA256
af146183fe73da3e8c15a11ba1f08c1c870009b435a50f2bb755803b51c6d5da

SHA512
282901babe72dab9fce1321e1240e994177020b9a1eb82a300dba331c21bb8187d5408e0e9e61c73049b505c8b674b09f78f5208d6e83674e810f525c34d48e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Filesize
75B

MD5
532be0754597df02b099d3e008da62ba

SHA1
3a0e4010cf2950635c105d51edeaf86e07cab712

SHA256
b6d3bf11ecbe8e21359be313b1a5b2cc62617a84fa8b7f68c56d45b757b23872

SHA512
e5eb2b3336de25e3fed75fe3e6e30a31e91b2e09d1a72914d653107dc7aa066b4957f149f86313e52ed08308df88805ff879f0101eb86be2a46539f2cbbb1544

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads