Resubmissions
26-05-2024 17:06
240526-vmg6wade6v 1026-05-2024 12:49
240526-p2q5faeh27 1026-05-2024 12:43
240526-pyanaadf3s 10Analysis
-
max time kernel
118s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 12:43
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240508-en
General
-
Target
XClient.exe
-
Size
32KB
-
MD5
53d9b475ab5b6a31e7b89c28d49b2196
-
SHA1
118000b987a127ae6065f9739b583038e0f1780b
-
SHA256
5b64cc2c1a7d550a5fb1d344d373be0cf9a8a5041f5e7b33534a9aaee06a9073
-
SHA512
302b7e312298445df0fbecd5d8fa54086eefa85b2b3ed238481a385a5fa2a148c11b681c1a5a57dd20e5602f2430185738ab5ac134f3d2d965760ff84ec7f949
-
SSDEEP
768:+RPD9OQhx/BV3Tw4e1dVFE9jiOjhfbhO:+d9OW/V3U4epFE9jiOjJFO
Malware Config
Extracted
xworm
5.0
0.tcp.eu.ngrok.io:10897
QUjY5ulhX0UCX61h
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1488-1-0x0000000001180000-0x000000000118E000-memory.dmp family_xworm -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1304 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2244 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1BEE7E1-1B5D-11EF-A7A3-7A58A1FDD547} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 2592 chrome.exe 2592 chrome.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
XClient.exechrome.exedescription pid process Token: SeDebugPrivilege 1488 XClient.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe Token: SeShutdownPrivilege 2592 chrome.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
Processes:
chrome.exeiexplore.exepid process 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2248 iexplore.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
chrome.exepid process 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe 2592 chrome.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2248 iexplore.exe 2248 iexplore.exe 2956 IEXPLORE.EXE 2956 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2592 wrote to memory of 2568 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2568 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2568 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2476 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2496 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2496 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2496 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe PID 2592 wrote to memory of 2628 2592 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.bat""2⤵
- Deletes itself
PID:1304 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2244
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1999758,0x7fef1999768,0x7fef19997782⤵PID:2568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:22⤵PID:2476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:82⤵PID:2496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:82⤵PID:2628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:12⤵PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:12⤵PID:2524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1448 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:22⤵PID:2776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3336 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:12⤵PID:1112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:82⤵PID:836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:82⤵PID:828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:82⤵PID:952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3748 --field-trial-handle=1256,i,6256524557159492725,7568659419103562039,131072 /prefetch:12⤵PID:560
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2700
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2248 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD51edaa6cda928ca106189ddf0df708917
SHA1cfecd082f6c753312f4d4bd4ba6c30f8a1f0549b
SHA256384c623f272a810f66febb8a69c67bae3b11d2e3ec901cd1d3aae3c51ce8ed25
SHA5129272fb120cf1b9375548ee1677ae14f3d48ac567698be21d1b9f6995e2e08847708baa160d67d4f9cfbbe67ca80debbc932d2932a1119d4f61efec008cd60b06
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
282KB
MD5aca98632d095c3db442f218788c32efb
SHA1a4ec0522d296106534ae40584bc0ead5f5d421f4
SHA2560b49e520f1e268275662d42b8e7f6487879e8fa5d2c87e19bf0652cd7c7e81b0
SHA51239b3f772889e3ff301f593d1dad1cff29be077565d9319f3bd961cba7fa416f6eda8a2d201944d031d616c2a15848428721ba7136ea1769a4d838283f9d47f26
-
Filesize
282KB
MD5794381b557330ae4115e8414fbed957a
SHA16a4a8f2a45484693f3b099bc392f49fe8d9feb7c
SHA2568d666b557de6faf9ef9a39d01f321277fe99820ed764027e3dd2910162d41c4b
SHA512cfdf6085e5aa8e80c48f1b2af762ab9e6edd34db33e6ed8bd69d4c78c65abe28486fd7b9d0defd5ec5992f6357cf960ffca57e6336d088f754a08633e9063657
-
Filesize
159B
MD5c22a7fa15b2291bed657da7d6efebfbb
SHA19db4d525af58dc88487500c0f55c1b08ed365439
SHA25605fa1f81cb17042bcc259a0af613e515b9ff6d6f2caa71f72b1ecd68b4dea3bf
SHA51275f5ba200cebadb01995107a6f5e4e6df1a91c871a1f918c3c7ac55c6c0a514beec2b5d47dff94c9d29a006c62b19a8587e1a33a8eb379d8745c082a98ebc249
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e