f7c20cd92f517c238ec163ec7460b0fa677f656a5e4cb9875c7cfdc38ece9ae6

Analysis

max time kernel
143s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95184d6acbcd3d1f526271d43c7d6e6f.exe
Size

13.6MB
MD5

b61e4049ce52400869cc6afe222ca329
SHA1

95a0715fb486cd9eee7f7df811e93a838539335e
SHA256

f7c20cd92f517c238ec163ec7460b0fa677f656a5e4cb9875c7cfdc38ece9ae6
SHA512

9d43a10fda7ad7ac24c8895788d97687219e0112a1c5f9464dbe1aba13da0ca1030381f11da4342b6f6bf0231b7f287bf56fcadb6fd8481f791dbe1b2a7c55d1

Score

9^/10

discovery

Malware Config

Signatures

ServiceHost packer 95 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2704-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-23-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-26-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-28-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-29-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-27-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-31-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-33-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-35-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-39-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-40-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-42-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-43-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-44-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-45-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-46-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-48-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-49-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-50-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-51-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-54-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-53-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-56-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-55-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-57-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-59-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-60-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-61-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-62-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-63-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-66-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-67-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-68-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-69-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-65-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-137-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-138-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-140-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-141-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-139-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-144-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-145-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-146-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-147-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-148-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-143-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-149-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-151-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-152-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-153-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-154-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-155-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-156-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-159-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-158-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-161-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2704-160-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 3 IoCs

Processes:

95184d6acbcd3d1f526271d43c7d6e6f.tmpwmfdist.exeVideoConverter.exe

pid process

2344 95184d6acbcd3d1f526271d43c7d6e6f.tmp
772 wmfdist.exe
2704 VideoConverter.exe

Loads dropped DLL 5 IoCs

Processes:

95184d6acbcd3d1f526271d43c7d6e6f.tmpregsvr32.exeVideoConverter.exe

pid	process
2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp
2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp
2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp
400	regsvr32.exe
2704	VideoConverter.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

95184d6acbcd3d1f526271d43c7d6e6f.tmp

description	ioc	process
File created	C:\Windows\SysWOW64\is-Q1ADL.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Windows\SysWOW64\is-3N0O1.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Windows\SysWOW64\is-NGV32.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Windows\SysWOW64\xvidcore.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Windows\SysWOW64\xvidvfw.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp

Drops file in Program Files directory 49 IoCs

Processes:

95184d6acbcd3d1f526271d43c7d6e6f.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ree Video Converter\CrashReport.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\MediaAssist.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\wmfdist.exe	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-NBSFA.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-L7VKF.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-JVBKA.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-AN4E1.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-KQ6S3.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-T4C9T.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-U7N2D.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-G52I9.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-081PD.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-D8FKI.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-T39G9.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\avfilter-0.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\swscale-0.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-BNQJN.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-NEA85.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-5L8EH.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-7TS2I.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\Log.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\SkinScroll.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-545P7.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-7S2D1.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-JFTOT.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-19139.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-8052S.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-DJND4.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\VideoConverter.exe	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\libffplay.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\SkinMagicU.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\update.EXE	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\unins000.dat	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-6EOMG.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-3N5V6.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-54UHL.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\avdevice-52.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\Common.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\sqlite3.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\avutil-49.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\SDL.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-VIE52.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\unins000.dat	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\avformat-52.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\ImageEx.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\libffmpeg.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File opened for modification	C:\Program Files (x86)\Ree Video Converter\xvidcore.dll	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-V23AM.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp
File created	C:\Program Files (x86)\Ree Video Converter\is-L6B09.tmp	95184d6acbcd3d1f526271d43c7d6e6f.tmp

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3556	2704	WerFault.exe	VideoConverter.exe
3276	2704	WerFault.exe	VideoConverter.exe
3492	2704	WerFault.exe	VideoConverter.exe
748	2704	WerFault.exe	VideoConverter.exe
3260	2704	WerFault.exe	VideoConverter.exe
2276	2704	WerFault.exe	VideoConverter.exe
4076	2704	WerFault.exe	VideoConverter.exe
3812	2704	WerFault.exe	VideoConverter.exe
3108	2704	WerFault.exe	VideoConverter.exe

Modifies registry class 14 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32\ = "C:\\Windows\\SysWow64\\xvid.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\ = "Xvid MPEG-4 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\ = "Xvid MPEG-4 Video DecoderAbout"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\CLSID = "{64697678-0000-0010-8000-00AA00389B71}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32\ = "C:\\Windows\\SysWow64\\xvid.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\FriendlyName = "Xvid MPEG-4 Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\FilterData = 020000000000800002000000000000003070693300000000000000000800000000000000000000003074793300000000d0000000e00000003174793300000000d0000000f00000003274793300000000d0000000000100003374793300000000d0000000100100003474793300000000d0000000200100003574793300000000d0000000300100003674793300000000d0000000400100003774793300000000d0000000500100003170693308000000000000000100000000000000000000003074793300000000d0000000600100007669647300001000800000aa00389b717876696400001000800000aa00389b715856494400001000800000aa00389b716469767800001000800000aa00389b714449565800001000800000aa00389b716478353000001000800000aa00389b714458353000001000800000aa00389b716d70347600001000800000aa00389b714d50345600001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 136 IoCs

Processes:

95184d6acbcd3d1f526271d43c7d6e6f.tmpVideoConverter.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp
2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp
2704	VideoConverter.exe
2704	VideoConverter.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3556	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
3492	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
3260	WerFault.exe
3260	WerFault.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3556	WerFault.exe
Token: SeBackupPrivilege	3556	WerFault.exe
Token: SeDebugPrivilege	3556	WerFault.exe
Token: SeDebugPrivilege	3276	WerFault.exe
Token: SeDebugPrivilege	3492	WerFault.exe
Token: SeDebugPrivilege	748	WerFault.exe
Token: SeDebugPrivilege	3260	WerFault.exe
Token: SeDebugPrivilege	2276	WerFault.exe
Token: SeDebugPrivilege	4076	WerFault.exe
Token: SeDebugPrivilege	3812	WerFault.exe
Token: SeDebugPrivilege	3108	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

95184d6acbcd3d1f526271d43c7d6e6f.tmp

pid process

2344 95184d6acbcd3d1f526271d43c7d6e6f.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

95184d6acbcd3d1f526271d43c7d6e6f.exe95184d6acbcd3d1f526271d43c7d6e6f.tmp

description	pid	process	target process
PID 580 wrote to memory of 2344	580	95184d6acbcd3d1f526271d43c7d6e6f.exe	95184d6acbcd3d1f526271d43c7d6e6f.tmp
PID 580 wrote to memory of 2344	580	95184d6acbcd3d1f526271d43c7d6e6f.exe	95184d6acbcd3d1f526271d43c7d6e6f.tmp
PID 580 wrote to memory of 2344	580	95184d6acbcd3d1f526271d43c7d6e6f.exe	95184d6acbcd3d1f526271d43c7d6e6f.tmp
PID 2344 wrote to memory of 400	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	regsvr32.exe
PID 2344 wrote to memory of 400	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	regsvr32.exe
PID 2344 wrote to memory of 400	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	regsvr32.exe
PID 2344 wrote to memory of 772	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	wmfdist.exe
PID 2344 wrote to memory of 772	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	wmfdist.exe
PID 2344 wrote to memory of 772	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	wmfdist.exe
PID 2344 wrote to memory of 2704	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	VideoConverter.exe
PID 2344 wrote to memory of 2704	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	VideoConverter.exe
PID 2344 wrote to memory of 2704	2344	95184d6acbcd3d1f526271d43c7d6e6f.tmp	VideoConverter.exe

C:\Users\Admin\AppData\Local\Temp\95184d6acbcd3d1f526271d43c7d6e6f.exe
"C:\Users\Admin\AppData\Local\Temp\95184d6acbcd3d1f526271d43c7d6e6f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\is-94M4D.tmp\95184d6acbcd3d1f526271d43c7d6e6f.tmp
"C:\Users\Admin\AppData\Local\Temp\is-94M4D.tmp\95184d6acbcd3d1f526271d43c7d6e6f.tmp" /SL5="$4005A,13454335,936960,C:\Users\Admin\AppData\Local\Temp\95184d6acbcd3d1f526271d43c7d6e6f.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\xvid.ax"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:400

C:\Program Files (x86)\Ree Video Converter\wmfdist.exe
"C:\Program Files (x86)\Ree Video Converter\wmfdist.exe" /Q:A /R:N
3⤵
- Executes dropped EXE
PID:772

C:\Program Files (x86)\Ree Video Converter\VideoConverter.exe
"C:\Program Files (x86)\Ree Video Converter\VideoConverter.exe" 95184d6acbcd3d1f526271d43c7d6e6f.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 812
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 816
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 740
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 860
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 864
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 808
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 772
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 836
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 860
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ree Video Converter\VideoConverter.exe
MD5
234f70a7781270752d527ee9313a81ca

SHA1
5c6023a27cd9eb2db41de1402a0328f42cc90642

SHA256
2ece275a87fc82e74f53df9098d3a53e57957aeee82b2d0fae31898b59ae31f5

SHA512
5b0fe5ac9854c8cca0d9397961567c7f29f842c5e53ffa16b62a98bc9d3c55344b206cbe9a87611e8d558415f6966ab934e29f8044b92b7c3a6a1ee7372849b3

Download Submit
C:\Program Files (x86)\Ree Video Converter\VideoConverter.exe
MD5
234f70a7781270752d527ee9313a81ca

SHA1
5c6023a27cd9eb2db41de1402a0328f42cc90642

SHA256
2ece275a87fc82e74f53df9098d3a53e57957aeee82b2d0fae31898b59ae31f5

SHA512
5b0fe5ac9854c8cca0d9397961567c7f29f842c5e53ffa16b62a98bc9d3c55344b206cbe9a87611e8d558415f6966ab934e29f8044b92b7c3a6a1ee7372849b3

Download Submit
C:\Program Files (x86)\Ree Video Converter\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Program Files (x86)\Ree Video Converter\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Program Files (x86)\Ree Video Converter\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-94M4D.tmp\95184d6acbcd3d1f526271d43c7d6e6f.tmp
MD5
cf932a8e4ddc98f4f4ba2e22686209d6

SHA1
c5f74277431cabd48bcf3aeab5df6e2e0a5f1a17

SHA256
87ee2365ebbf0c4dfdd9dd6abd8e4b49f5fd6d1e7e5c6a133449425fea7ba0af

SHA512
245437c5431f01db50943f80b35f21b29f444b445097a2d341a601eaaf026dcc367533be732501fd41bad24150a5b443f98ab542d42e13549c35f9929f30609f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-94M4D.tmp\95184d6acbcd3d1f526271d43c7d6e6f.tmp
MD5
cf932a8e4ddc98f4f4ba2e22686209d6

SHA1
c5f74277431cabd48bcf3aeab5df6e2e0a5f1a17

SHA256
87ee2365ebbf0c4dfdd9dd6abd8e4b49f5fd6d1e7e5c6a133449425fea7ba0af

SHA512
245437c5431f01db50943f80b35f21b29f444b445097a2d341a601eaaf026dcc367533be732501fd41bad24150a5b443f98ab542d42e13549c35f9929f30609f

Download Submit
C:\Windows\SysWOW64\xvid.ax
MD5
1dfc887cb243a525675ce04787dedf8b

SHA1
69163fbf6a40a34ae9f27e652b01b4cc8fb2cc5f

SHA256
0969d1f5501ad4be6f969ce45f44a739b2d61a50237f75ae7b77626d6a0aff11

SHA512
160a6df0774c359a3959088fe478d237b4fa597eaa0cf1b084b77ba8fcdb08137387fa3ce91bd40e3af6d2992be048e583368644fe6fa627918e8900833adde4

Download Submit
\Program Files (x86)\Ree Video Converter\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\is-0D17V.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-0D17V.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-0D17V.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Windows\SysWOW64\xvid.ax
MD5
1dfc887cb243a525675ce04787dedf8b

SHA1
69163fbf6a40a34ae9f27e652b01b4cc8fb2cc5f

SHA256
0969d1f5501ad4be6f969ce45f44a739b2d61a50237f75ae7b77626d6a0aff11

SHA512
160a6df0774c359a3959088fe478d237b4fa597eaa0cf1b084b77ba8fcdb08137387fa3ce91bd40e3af6d2992be048e583368644fe6fa627918e8900833adde4

Download Submit
memory/400-6-0x0000000000000000-mapping.dmp

Download
memory/748-52-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/748-58-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/772-9-0x0000000000000000-mapping.dmp

Download
memory/2276-150-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2276-142-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2344-0-0x0000000000000000-mapping.dmp

Download
memory/2704-69-0x0000000000000000-mapping.dmp

Download
memory/2704-146-0x0000000000000000-mapping.dmp

Download
memory/2704-22-0x0000000000000000-mapping.dmp

Download
memory/2704-24-0x0000000000000000-mapping.dmp

Download
memory/2704-23-0x0000000000000000-mapping.dmp

Download
memory/2704-204-0x0000000000000000-mapping.dmp

Download
memory/2704-26-0x0000000000000000-mapping.dmp

Download
memory/2704-28-0x0000000000000000-mapping.dmp

Download
memory/2704-29-0x0000000000000000-mapping.dmp

Download
memory/2704-27-0x0000000000000000-mapping.dmp

Download
memory/2704-203-0x0000000000000000-mapping.dmp

Download
memory/2704-31-0x0000000000000000-mapping.dmp

Download
memory/2704-32-0x0000000000000000-mapping.dmp

Download
memory/2704-34-0x0000000000000000-mapping.dmp

Download
memory/2704-33-0x0000000000000000-mapping.dmp

Download
memory/2704-35-0x0000000000000000-mapping.dmp

Download
memory/2704-202-0x0000000000000000-mapping.dmp

Download
memory/2704-37-0x0000000000000000-mapping.dmp

Download
memory/2704-39-0x0000000000000000-mapping.dmp

Download
memory/2704-38-0x0000000000000000-mapping.dmp

Download
memory/2704-40-0x0000000000000000-mapping.dmp

Download
memory/2704-201-0x0000000000000000-mapping.dmp

Download
memory/2704-42-0x0000000000000000-mapping.dmp

Download
memory/2704-43-0x0000000000000000-mapping.dmp

Download
memory/2704-44-0x0000000000000000-mapping.dmp

Download
memory/2704-45-0x0000000000000000-mapping.dmp

Download
memory/2704-46-0x0000000000000000-mapping.dmp

Download
memory/2704-200-0x0000000000000000-mapping.dmp

Download
memory/2704-48-0x0000000000000000-mapping.dmp

Download
memory/2704-49-0x0000000000000000-mapping.dmp

Download
memory/2704-50-0x0000000000000000-mapping.dmp

Download
memory/2704-51-0x0000000000000000-mapping.dmp

Download
memory/2704-20-0x0000000000000000-mapping.dmp

Download
memory/2704-54-0x0000000000000000-mapping.dmp

Download
memory/2704-53-0x0000000000000000-mapping.dmp

Download
memory/2704-56-0x0000000000000000-mapping.dmp

Download
memory/2704-55-0x0000000000000000-mapping.dmp

Download
memory/2704-57-0x0000000000000000-mapping.dmp

Download
memory/2704-199-0x0000000000000000-mapping.dmp

Download
memory/2704-59-0x0000000000000000-mapping.dmp

Download
memory/2704-60-0x0000000000000000-mapping.dmp

Download
memory/2704-61-0x0000000000000000-mapping.dmp

Download
memory/2704-62-0x0000000000000000-mapping.dmp

Download
memory/2704-63-0x0000000000000000-mapping.dmp

Download
memory/2704-198-0x0000000000000000-mapping.dmp

Download
memory/2704-66-0x0000000000000000-mapping.dmp

Download
memory/2704-67-0x0000000000000000-mapping.dmp

Download
memory/2704-68-0x0000000000000000-mapping.dmp

Download
memory/2704-16-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/2704-65-0x0000000000000000-mapping.dmp

Download
memory/2704-196-0x0000000000000000-mapping.dmp

Download
memory/2704-137-0x0000000000000000-mapping.dmp

Download
memory/2704-138-0x0000000000000000-mapping.dmp

Download
memory/2704-140-0x0000000000000000-mapping.dmp

Download
memory/2704-141-0x0000000000000000-mapping.dmp

Download
memory/2704-139-0x0000000000000000-mapping.dmp

Download
memory/2704-17-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2704-144-0x0000000000000000-mapping.dmp

Download
memory/2704-145-0x0000000000000000-mapping.dmp

Download
memory/2704-21-0x0000000000000000-mapping.dmp

Download
memory/2704-147-0x0000000000000000-mapping.dmp

Download
memory/2704-148-0x0000000000000000-mapping.dmp

Download
memory/2704-143-0x0000000000000000-mapping.dmp

Download
memory/2704-149-0x0000000000000000-mapping.dmp

Download
memory/2704-12-0x0000000000000000-mapping.dmp

Download
memory/2704-151-0x0000000000000000-mapping.dmp

Download
memory/2704-152-0x0000000000000000-mapping.dmp

Download
memory/2704-153-0x0000000000000000-mapping.dmp

Download
memory/2704-154-0x0000000000000000-mapping.dmp

Download
memory/2704-155-0x0000000000000000-mapping.dmp

Download
memory/2704-156-0x0000000000000000-mapping.dmp

Download
memory/2704-195-0x0000000000000000-mapping.dmp

Download
memory/2704-159-0x0000000000000000-mapping.dmp

Download
memory/2704-158-0x0000000000000000-mapping.dmp

Download
memory/2704-161-0x0000000000000000-mapping.dmp

Download
memory/2704-160-0x0000000000000000-mapping.dmp

Download
memory/2704-162-0x0000000000000000-mapping.dmp

Download
memory/2704-163-0x0000000000000000-mapping.dmp

Download
memory/2704-164-0x0000000000000000-mapping.dmp

Download
memory/2704-165-0x0000000000000000-mapping.dmp

Download
memory/2704-194-0x0000000000000000-mapping.dmp

Download
memory/2704-167-0x0000000000000000-mapping.dmp

Download
memory/2704-168-0x0000000000000000-mapping.dmp

Download
memory/2704-169-0x0000000000000000-mapping.dmp

Download
memory/2704-170-0x0000000000000000-mapping.dmp

Download
memory/2704-171-0x0000000000000000-mapping.dmp

Download
memory/2704-173-0x0000000000000000-mapping.dmp

Download
memory/2704-172-0x0000000000000000-mapping.dmp

Download
memory/2704-193-0x0000000000000000-mapping.dmp

Download
memory/2704-175-0x0000000000000000-mapping.dmp

Download
memory/2704-176-0x0000000000000000-mapping.dmp

Download
memory/2704-177-0x0000000000000000-mapping.dmp

Download
memory/2704-178-0x0000000000000000-mapping.dmp

Download
memory/2704-179-0x0000000000000000-mapping.dmp

Download
memory/2704-180-0x0000000000000000-mapping.dmp

Download
memory/2704-181-0x0000000000000000-mapping.dmp

Download
memory/2704-192-0x0000000000000000-mapping.dmp

Download
memory/2704-183-0x0000000000000000-mapping.dmp

Download
memory/2704-184-0x0000000000000000-mapping.dmp

Download
memory/2704-185-0x0000000000000000-mapping.dmp

Download
memory/2704-186-0x0000000000000000-mapping.dmp

Download
memory/2704-187-0x0000000000000000-mapping.dmp

Download
memory/2704-188-0x0000000000000000-mapping.dmp

Download
memory/2704-190-0x0000000000000000-mapping.dmp

Download
memory/2704-191-0x0000000000000000-mapping.dmp

Download
memory/3108-197-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/3108-189-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3260-64-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/3260-71-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/3276-30-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3276-36-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/3492-47-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/3492-41-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3556-18-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/3556-25-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3812-174-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3812-182-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/4076-157-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/4076-166-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download