badrabbit | 2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670

Analysis

max time kernel
149s
max time network
140s
platform
windows10_x64
resource
win10v20210410
submitted
15-05-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Size

434KB
MD5

b5d4146d585d33490dca0e55682b2492
SHA1

280386782e0dfad5991a218e1601ec5ca7ebc67b
SHA256

2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670
SHA512

31a9b11b9ffeb1fa4c8b10827917c99caf501276c5f55456bd1b2249f67926ccc011327c92722e8c4f7360f39b6e0d02895f705bf21d49bc4c12d29a425d8ab0

Score

10^/10

badrabbit persistence ransomware upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit

Executes dropped EXE 27 IoCs

pid	Process
584	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
848	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
476	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
1360	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
1848	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
2352	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
2456	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
3968	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
4028	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
2988	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
2756	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
752	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
3288	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
3960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
3964	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
3444	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
3372	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
644	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
3360	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
788	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
1456	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
2344	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
2460	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
4032	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
3928	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
2740	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
2752	7F19.tmp

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000000689-115.dat	upx
behavioral2/files/0x0008000000000689-116.dat	upx
behavioral2/files/0x000200000001ab5c-119.dat	upx
behavioral2/files/0x000200000001ab5c-118.dat	upx
behavioral2/files/0x000200000001ab5d-122.dat	upx
behavioral2/files/0x000200000001ab5d-121.dat	upx
behavioral2/files/0x000100000001ab61-124.dat	upx
behavioral2/files/0x000100000001ab61-125.dat	upx
behavioral2/files/0x000100000001ab62-128.dat	upx
behavioral2/files/0x000100000001ab62-127.dat	upx
behavioral2/files/0x000100000001ab63-131.dat	upx
behavioral2/files/0x000100000001ab64-134.dat	upx
behavioral2/files/0x000100000001ab64-133.dat	upx
behavioral2/files/0x000100000001ab65-137.dat	upx
behavioral2/files/0x000100000001ab65-136.dat	upx
behavioral2/files/0x000100000001ab63-130.dat	upx
behavioral2/files/0x000100000001ab67-143.dat	upx
behavioral2/files/0x000100000001ab67-142.dat	upx
behavioral2/files/0x000100000001ab66-140.dat	upx
behavioral2/files/0x000100000001ab66-139.dat	upx
behavioral2/files/0x000100000001ab68-146.dat	upx
behavioral2/files/0x000100000001ab68-145.dat	upx
behavioral2/files/0x000100000001ab69-148.dat	upx
behavioral2/files/0x000100000001ab69-149.dat	upx
behavioral2/files/0x000100000001ab6a-151.dat	upx
behavioral2/files/0x000100000001ab6a-152.dat	upx
behavioral2/files/0x000100000001ab6b-155.dat	upx
behavioral2/files/0x000100000001ab6c-158.dat	upx
behavioral2/files/0x000100000001ab6d-161.dat	upx
behavioral2/files/0x000100000001ab6d-160.dat	upx
behavioral2/files/0x000100000001ab6c-157.dat	upx
behavioral2/files/0x000100000001ab6e-164.dat	upx
behavioral2/files/0x000100000001ab6e-163.dat	upx
behavioral2/files/0x000100000001ab6f-166.dat	upx
behavioral2/files/0x000100000001ab6f-167.dat	upx
behavioral2/files/0x000100000001ab6b-154.dat	upx
behavioral2/files/0x000100000001ab72-173.dat	upx
behavioral2/files/0x000100000001ab72-172.dat	upx
behavioral2/files/0x000100000001ab71-170.dat	upx
behavioral2/files/0x000100000001ab73-175.dat	upx
behavioral2/files/0x000100000001ab73-176.dat	upx
behavioral2/files/0x000100000001ab71-169.dat	upx
behavioral2/files/0x000100000001ab74-179.dat	upx
behavioral2/files/0x000100000001ab74-178.dat	upx
behavioral2/files/0x000100000001ab75-181.dat	upx
behavioral2/files/0x000100000001ab75-182.dat	upx
behavioral2/files/0x000100000001ab76-185.dat	upx
behavioral2/files/0x000100000001ab76-184.dat	upx
behavioral2/files/0x000100000001ab77-188.dat	upx
behavioral2/files/0x000100000001ab77-187.dat	upx
behavioral2/files/0x000100000001ab78-190.dat	upx
behavioral2/files/0x000100000001ab78-191.dat	upx

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\7F19.tmp	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2740	schtasks.exe
2416	schtasks.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 961c5c12cf1d8cb0	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2752	7F19.tmp
2752	7F19.tmp
2752	7F19.tmp
2752	7F19.tmp
2752	7F19.tmp
2752	7F19.tmp
2744	rundll32.exe
2744	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2744	rundll32.exe
Token: SeDebugPrivilege	2744	rundll32.exe
Token: SeTcbPrivilege	2744	rundll32.exe
Token: SeDebugPrivilege	2752	7F19.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 584	2112	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe	72
PID 2112 wrote to memory of 584	2112	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe	72
PID 2112 wrote to memory of 584	2112	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe	72
PID 584 wrote to memory of 848	584	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe	73
PID 584 wrote to memory of 848	584	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe	73
PID 584 wrote to memory of 848	584	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe	73
PID 848 wrote to memory of 476	848	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe	75
PID 848 wrote to memory of 476	848	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe	75
PID 848 wrote to memory of 476	848	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe	75
PID 476 wrote to memory of 1360	476	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe	78
PID 476 wrote to memory of 1360	476	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe	78
PID 476 wrote to memory of 1360	476	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe	78
PID 1360 wrote to memory of 1848	1360	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe	77
PID 1360 wrote to memory of 1848	1360	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe	77
PID 1360 wrote to memory of 1848	1360	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe	77
PID 1848 wrote to memory of 2352	1848	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe	79
PID 1848 wrote to memory of 2352	1848	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe	79
PID 1848 wrote to memory of 2352	1848	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe	79
PID 2352 wrote to memory of 2456	2352	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe	80
PID 2352 wrote to memory of 2456	2352	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe	80
PID 2352 wrote to memory of 2456	2352	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe	80
PID 2456 wrote to memory of 3968	2456	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe	81
PID 2456 wrote to memory of 3968	2456	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe	81
PID 2456 wrote to memory of 3968	2456	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe	81
PID 3968 wrote to memory of 4028	3968	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe	82
PID 3968 wrote to memory of 4028	3968	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe	82
PID 3968 wrote to memory of 4028	3968	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe	82
PID 4028 wrote to memory of 2988	4028	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe	83
PID 4028 wrote to memory of 2988	4028	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe	83
PID 4028 wrote to memory of 2988	4028	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe	83
PID 2988 wrote to memory of 2756	2988	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe	84
PID 2988 wrote to memory of 2756	2988	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe	84
PID 2988 wrote to memory of 2756	2988	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe	84
PID 2756 wrote to memory of 752	2756	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe	86
PID 2756 wrote to memory of 752	2756	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe	86
PID 2756 wrote to memory of 752	2756	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe	86
PID 752 wrote to memory of 3288	752	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe	96
PID 752 wrote to memory of 3288	752	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe	96
PID 752 wrote to memory of 3288	752	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe	96
PID 3288 wrote to memory of 3960	3288	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe	88
PID 3288 wrote to memory of 3960	3288	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe	88
PID 3288 wrote to memory of 3960	3288	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe	88
PID 3960 wrote to memory of 3964	3960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe	89
PID 3960 wrote to memory of 3964	3960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe	89
PID 3960 wrote to memory of 3964	3960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe	89
PID 3964 wrote to memory of 3444	3964	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe	90
PID 3964 wrote to memory of 3444	3964	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe	90
PID 3964 wrote to memory of 3444	3964	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe	90
PID 3444 wrote to memory of 3372	3444	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe	91
PID 3444 wrote to memory of 3372	3444	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe	91
PID 3444 wrote to memory of 3372	3444	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe	91
PID 3372 wrote to memory of 644	3372	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe	92
PID 3372 wrote to memory of 644	3372	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe	92
PID 3372 wrote to memory of 644	3372	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe	92
PID 644 wrote to memory of 3360	644	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe	93
PID 644 wrote to memory of 3360	644	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe	93
PID 644 wrote to memory of 3360	644	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe	93
PID 3360 wrote to memory of 788	3360	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe	94
PID 3360 wrote to memory of 788	3360	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe	94
PID 3360 wrote to memory of 788	3360	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe	94
PID 788 wrote to memory of 1456	788	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe	95
PID 788 wrote to memory of 1456	788	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe	95
PID 788 wrote to memory of 1456	788	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe	95
PID 1456 wrote to memory of 2344	1456	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe	97

C:\Users\Admin\AppData\Local\Temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
"C:\Users\Admin\AppData\Local\Temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112
- \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
  c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:584
- - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
    c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:848
  - - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
      c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:476
    - - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360

\??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848
- \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
  c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2352
- - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
    c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
      c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3968
    - - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288

\??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3960
- \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
  c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3964
- - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
    c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
      c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3372
    - - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
      - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2344
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2460
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4032
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3928
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2740

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
PID:3488
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 240234305 && exit"
    3⤵
    PID:2840
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 240234305 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
    3⤵
    PID:3876
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:42:00
      4⤵
      Creates scheduled task(s)
      PID:2416
- - C:\Windows\7F19.tmp
    "C:\Windows\7F19.tmp" \\.\pipe\{4211F177-9797-4D98-91AB-9CB81FFB11E7}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2744-193-0x0000000003210000-0x0000000003278000-memory.dmp

Filesize
416KB

Download
memory/2744-198-0x0000000003210000-0x0000000003278000-memory.dmp

Filesize
416KB

Download