34cdbec1ccf9e06a8a2db8d2e3952c77e74bd33ae19f2ef5c69b57d3eec05194

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShellExperienceHost.exe
Size

823KB
MD5

cd677d6d41b6a65444c304511c942f3d
SHA1

02144b44b58a9ac55f4fc4c3efdf1b329d02cd47
SHA256

34cdbec1ccf9e06a8a2db8d2e3952c77e74bd33ae19f2ef5c69b57d3eec05194
SHA512

d153c19c892ac15a73fee300f57d5105f5ef93b5a3ff5f672f71429ffd3bb6b36f44f757b5341780f6141e80d7d26e545ce56d4ec45ea35dfe698f82d3d7ef65
SSDEEP

24576:s2IeXdu9TrIKbTaxXN/D2Q0flhY0p6Bk:DIetK3IKT492/Yeuk

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe
1668	ShellExperienceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6004	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	ShellExperienceHost.exe
Token: SeDebugPrivilege	6004	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe
6004	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2440	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32
PID 1668 wrote to memory of 2440	1668	ShellExperienceHost.exe	32

C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe
"C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2440

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Loader.log

Filesize
600B

MD5
c6dc42b7bd470e0d308105fc29322fda

SHA1
e89d568920e7db9ad00989ed9b4c4abf2190d690

SHA256
d9c34ee84d07475b773c98cb0d91128239ec92d4b4de88fd88092d6890c7c74c

SHA512
46a623550574a906459255e7dfdd65304d5343e4d0736104539b61dadb93c74aae64837a391707f051697611724ce50f8045115ec4701aa0722146eca527331a

Download Submit
memory/1668-36-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/1668-39-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/1668-3-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1668-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1668-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1668-8-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1668-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1668-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1668-11-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1668-2-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1668-9-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1668-14-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1668-15-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1668-17-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1668-63-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1668-38-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1668-18-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1668-16-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1668-21-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1668-26-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1668-25-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1668-24-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1668-23-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1668-27-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1668-28-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1668-30-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1668-29-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1668-31-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/1668-32-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/1668-34-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download
memory/1668-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1668-37-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/1668-19-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1668-40-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/1668-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1668-62-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1668-41-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/1668-45-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1668-43-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/1668-47-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1668-46-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/1668-49-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1668-48-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1668-52-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1668-51-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1668-50-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1668-53-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1668-54-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1668-59-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1668-58-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1668-56-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1668-61-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1668-60-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2440-42-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2440-64-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2440-20-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2440-2869-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2440-2870-0x000000000314F000-0x000000000453C000-memory.dmp

Filesize
19.9MB

Download
memory/2440-13-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2440-2912-0x000000000314F000-0x000000000453C000-memory.dmp

Filesize
19.9MB

Download
memory/6004-2913-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/6004-2914-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/6004-2915-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download