7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736

Analysis

max time kernel
152s
max time network
198s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll
Size

541KB
MD5

c12eff8d72d6a7d0bccd4c3947ba1271
SHA1

351fee49a5207d1f16ddc036294b74cc98f06690
SHA256

7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736
SHA512

314402d330f0c01b131fcc78287472ee496120c9ba526b87438908fd85000a771ebb11386392bf6ff2fba8c3a08179e6cf9c8a7b50b10dd4d7cb07dc1de81c37
SSDEEP

12288:gKXAyRw6k2wnnA9UhcOsyj/kidgR6ncbGUTLyEud6p2Qh5zb:6yRw6k20WU6yAp6cV3txh5zb

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Downloads MZ/PE file

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
behavioral1/memory/1520-84-0x000000005FF40000-0x00000000601FD000-memory.dmp	vmprotect
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
behavioral1/memory/768-90-0x000000005FF40000-0x00000000601FD000-memory.dmp	vmprotect

Drops startup file 1 IoCs

Processes:

iexplore.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.LNK iexplore.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1520 rundll32.exe
1520 rundll32.exe
1520 rundll32.exe
768 rundll32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.LNK	iexplore.exe

pid	process
1520	rundll32.exe
1520	rundll32.exe
1520	rundll32.exe
768	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Firewall Cpl = "C:\\Users\\Admin\\Microsoft\\WindowsUpdate\\rundll32.cpl"	iexplore.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.exerundll32.exeiexplore.exe

description	pid	process	target process
PID 1456 set thread context of 1712	1456	rundll32.exe	svchost.exe
PID 1520 set thread context of 1732	1520	rundll32.exe	iexplore.exe
PID 1732 set thread context of 2020	1732	iexplore.exe	iexplore.exe
PID 1732 set thread context of 384	1732	iexplore.exe	iexplore.exe
PID 1732 set thread context of 964	1732	iexplore.exe	iexplore.exe
PID 1732 set thread context of 1608	1732	iexplore.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000064c3a6928ce18d75a9f9c47e632d8cde57f38ee09b28872638cb8a7a79a47356000000000e8000000002000020000000997aaece16cf2df65f964c2f865b0bfad0e6bbef58f60ce62c4ddddbe27cedcb20000000ea7274e0237172e33b76a11bcd0688b064df51dbbef66611fa40487c8acecadb40000000329782c80d42af033c02773e12d6ac7f7a098435ae75f3e5a267ea9962b6ed3a1b3234f1c7da41367d52ffbb8d26046105455eaf11c14e48d4ba67de4b8e7617	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000003f6bae77fb20be0f21075141570ab4f2cc180bacd96953ed73be6c3404d6d601000000000e80000000020000200000002ded3f22755e091675f359cf3508899e7468c17d8136236352c2445208ee37c290000000278ac2a3bbd44ecaafe67e33f305be83e1398961a74e5d08ce9b7cfc6710fc80255c50d1b5ea2a90e0081cd8c2a967c63555ad5718c7c244e68247da11c1e393f923065ca9f4fc679d5f3d4b0cde405621190f4f803511413f82327df63b584433b6a3e911bd93ac259a63d703c33acb761965825a30bcd423f415ac7bd0fd9d4e63b86a3f370b686b2df9e4fbd2f3bb40000000d7195612b35d36f5f2e9ee8a7975f17a339f0149db3cdbe18083ab9e0e91d8d2626ef6658d4b07702b292baf63d179f7905a72e0f4ec3be7d7140edc8b2a4714	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{774E8811-6D86-11ED-8B07-42F1C931D1AB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4075d58c9301d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\Enabled = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376230984"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 64 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1068 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1068 iexplore.exe
1068 iexplore.exe
360 IEXPLORE.EXE
360 IEXPLORE.EXE
360 IEXPLORE.EXE
360 IEXPLORE.EXE

description	flow	ioc
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2020	iexplore.exe

pid	process
1068	iexplore.exe

pid	process
1068	iexplore.exe
1068	iexplore.exe
360	IEXPLORE.EXE
360	IEXPLORE.EXE
360	IEXPLORE.EXE
360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exesvchost.exeiexplore.execmd.execontrol.exerundll32.exeRunDll32.exeiexplore.exe

description	pid	process	target process
PID 848 wrote to memory of 1456	848	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 1456	848	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 1456	848	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 1456	848	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 1456	848	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 1456	848	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 1456	848	rundll32.exe	rundll32.exe
PID 1456 wrote to memory of 1712	1456	rundll32.exe	svchost.exe
PID 1456 wrote to memory of 1712	1456	rundll32.exe	svchost.exe
PID 1456 wrote to memory of 1712	1456	rundll32.exe	svchost.exe
PID 1456 wrote to memory of 1712	1456	rundll32.exe	svchost.exe
PID 1456 wrote to memory of 1712	1456	rundll32.exe	svchost.exe
PID 1456 wrote to memory of 1712	1456	rundll32.exe	svchost.exe
PID 1712 wrote to memory of 1068	1712	svchost.exe	iexplore.exe
PID 1712 wrote to memory of 1068	1712	svchost.exe	iexplore.exe
PID 1712 wrote to memory of 1068	1712	svchost.exe	iexplore.exe
PID 1712 wrote to memory of 1068	1712	svchost.exe	iexplore.exe
PID 1068 wrote to memory of 360	1068	iexplore.exe	IEXPLORE.EXE
PID 1068 wrote to memory of 360	1068	iexplore.exe	IEXPLORE.EXE
PID 1068 wrote to memory of 360	1068	iexplore.exe	IEXPLORE.EXE
PID 1068 wrote to memory of 360	1068	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 1376	1712	svchost.exe	cmd.exe
PID 1712 wrote to memory of 1376	1712	svchost.exe	cmd.exe
PID 1712 wrote to memory of 1376	1712	svchost.exe	cmd.exe
PID 1712 wrote to memory of 1376	1712	svchost.exe	cmd.exe
PID 1376 wrote to memory of 1840	1376	cmd.exe	control.exe
PID 1376 wrote to memory of 1840	1376	cmd.exe	control.exe
PID 1376 wrote to memory of 1840	1376	cmd.exe	control.exe
PID 1376 wrote to memory of 1840	1376	cmd.exe	control.exe
PID 1840 wrote to memory of 1520	1840	control.exe	rundll32.exe
PID 1840 wrote to memory of 1520	1840	control.exe	rundll32.exe
PID 1840 wrote to memory of 1520	1840	control.exe	rundll32.exe
PID 1840 wrote to memory of 1520	1840	control.exe	rundll32.exe
PID 1840 wrote to memory of 1520	1840	control.exe	rundll32.exe
PID 1840 wrote to memory of 1520	1840	control.exe	rundll32.exe
PID 1840 wrote to memory of 1520	1840	control.exe	rundll32.exe
PID 1520 wrote to memory of 1732	1520	rundll32.exe	iexplore.exe
PID 1520 wrote to memory of 1732	1520	rundll32.exe	iexplore.exe
PID 1520 wrote to memory of 1732	1520	rundll32.exe	iexplore.exe
PID 1520 wrote to memory of 1732	1520	rundll32.exe	iexplore.exe
PID 1520 wrote to memory of 1732	1520	rundll32.exe	iexplore.exe
PID 1520 wrote to memory of 1732	1520	rundll32.exe	iexplore.exe
PID 1520 wrote to memory of 1504	1520	rundll32.exe	RunDll32.exe
PID 1520 wrote to memory of 1504	1520	rundll32.exe	RunDll32.exe
PID 1520 wrote to memory of 1504	1520	rundll32.exe	RunDll32.exe
PID 1520 wrote to memory of 1504	1520	rundll32.exe	RunDll32.exe
PID 1504 wrote to memory of 768	1504	RunDll32.exe	rundll32.exe
PID 1504 wrote to memory of 768	1504	RunDll32.exe	rundll32.exe
PID 1504 wrote to memory of 768	1504	RunDll32.exe	rundll32.exe
PID 1504 wrote to memory of 768	1504	RunDll32.exe	rundll32.exe
PID 1504 wrote to memory of 768	1504	RunDll32.exe	rundll32.exe
PID 1504 wrote to memory of 768	1504	RunDll32.exe	rundll32.exe
PID 1504 wrote to memory of 768	1504	RunDll32.exe	rundll32.exe
PID 1732 wrote to memory of 2020	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 2020	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 2020	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 2020	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 2020	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 2020	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 384	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 384	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 384	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 384	1732	iexplore.exe	iexplore.exe
PID 1732 wrote to memory of 384	1732	iexplore.exe	iexplore.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/pt_BR/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1068 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c call C:\Users\Admin\AppData\Local\Temp\YYYY.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
        6⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -embedding
        7⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
        8⤵
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
        8⤵
        
        PID:384
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
        8⤵
        
        PID:964
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
        8⤵
        
        PID:1608
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
        8⤵
        Loads dropped DLL
        
        PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d10f1cfddd2f582a4fe1977fb01bd266

SHA1
13e0552ce4c8dc0e908107cade630cab94b28db2

SHA256
11a1bd8bc2096351d4823709f59240b8d085e485031e2af240b47a05210473ea

SHA512
5bd264f689f42cb156d56c8becae5a60dbfb1e7eef75ecb51c96b3a76b8728e28afad57127773ab21d4f18f86439a75a5a877d974e6e3d2ddbca57f2535f278c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afb3e6a5cea5d90902b5667cf604db2f

SHA1
5589b4187a16edc645f396de3f14698e154469c0

SHA256
b7922cc3f6800411562a8734afece6688c8d4affc20e54a7198d8e357415c6de

SHA512
b98e65dbcf5bcf262668a86e618c0a4b15d59d6d3f5a66136bf1afe4bd06ecde8ecbb6e41abed56f7fcb2a4bf36a3de3ceea8b625f189fbfcc29468a42cf4775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37b2e46904f8756447e406b082a26b0e

SHA1
64d9e8ebf28d69947057348d7583415dccdffcfb

SHA256
3123b871d73d8bae6722ef963347b66baf5375920b879a49d403d40a21e8f115

SHA512
914028a1b4b0d9167fd3eb53c9d7392abec2fb19dc30274ab7239e5354fe2dc66ba7b42cb6ced7262d01cc5382415d07af27bdc25b3adbd2f66d90a0c2b1ceee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a55af9163f0e7c8e18255f8945132b3

SHA1
8737bd9c81f2fccf126ac7c27807298b938ea63e

SHA256
8919e5ad038001e58a664cbc591c4702e418ba93606cf16df775e8392c30ed00

SHA512
226a91d68a1b12260ad8a740ab75ac43c81ab750579086d032efd6b93f52ff313ec1571aa54251e2a66a174b40e93690b0a54626841b3a6db73ac0ad0db15267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51edab9b3a9442f3fd8cdb9e1f713313

SHA1
ba8aec44a99f3f91c84fa9f863dcf24c417701e5

SHA256
a7e10e0b673a647b56892afca2071189846836ea997efa94644e95de573a44fe

SHA512
38c1e06d3b7c7c2eb15bf0d2415bc11edfd4b42ee23d4899ff0c92b9baedfb512bdb9dc7cb37a363246b6429e6a25bec617f474d3072f854fc0355b79f1c52b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYYY.bat

Filesize
186B

MD5
ed5d0dd1e636b46c029431fe1b22c177

SHA1
8730dbda5b02b208025efc9729078fd922916244

SHA256
19aa3105126cc8c82f49a43b611d43ca5c86e2a23cbd924cf43f0b58f6786eba

SHA512
ac5a61fed23e6c7455059ff959e32f9d648fd830fc5d1febdbc8b4907db7e1bb8bb73013ec1fd71dc3ca506598b9a591342e27f6d8e1884af414d3efda256526

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.gif

Filesize
1KB

MD5
efed2d96aa5344910603f3538edbea7e

SHA1
c1988553afe101e4d6cbdb2901439ad01ddf4640

SHA256
7c4ccaca19175775f6fbeac19e6d6bb0497c40e76a774e5dfa481e3ccc66aed5

SHA512
b324b4e62b7f6f4334c06d40d9855bb602812be14fe41040572addbcf9a51a4a227bd63ef614242ecb15ebe89aa9304146710e4bc129b46e4a453b2b794e42ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MGXNTHIQ.txt

Filesize
608B

MD5
1c9117e65233b9bad24ff94351286fef

SHA1
771a3553f301865a82b0c8d125f61678a79efb37

SHA256
2b464ab5f749191eb52a2008fd0bd30c7d120976e83b6a88467997f745a6db55

SHA512
32c43450e62d9cf61862d9f138569c0d8a2ca6a9c14b53395bdb40c810f02c77ce2eaadb17d93ff69aa21ba50589ed3215ba7428ca351195de91e765bb8f9f87

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\em4.jmp

Filesize
8.2MB

MD5
066c74a4c54e35a80beaf295cf8d460b

SHA1
46545679ad7e5acdc573d23fe3bcfea93bbbb2c3

SHA256
5ef54ab34b9140e528e64babe53d7b0938440a8c9bba619e9802b5e50d724898

SHA512
2bc7e62a21b91cc8ed7f6a3d91dad20bae9f1f45e0b9af0931fe538e4a232bc14225164b13fa67f4f8bfede907067d2f7c772baec8722826a0382ccbe8b40c3b

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\em5.jmp

Filesize
1.1MB

MD5
0a9e1f77c45cca70272b33865de7936e

SHA1
a5795ef4bc0b83571b7a5b5ddc5d7255451b8948

SHA256
7eb2b0e0e856828b2b2253377d87b03657492e4cfab23450f9aaa078c743da5c

SHA512
3e3eaf7708c1d8b511d86c8081baec275d3aa90ee0e34c4addf5fe1447642371910805fca9dd9245e89bb717d7f61a0b2b9c8c6d365e24281963d51ca63db371

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\em6.jmp

Filesize
1.1MB

MD5
779e78cf8089787cf3c61503af0866ac

SHA1
76c2388422b9c6bcc362de42c3f6f034d8311588

SHA256
330d13511cd53832f279e101d8aa86537915852cebff8ec700f26ec019372568

SHA512
dad0d36e27251f0ecffda4343eef6e4db778635b05777d72207716d8b8f652281c876236065dca370a5b60dea7368d1cb681826abc28afd1c4bc412f299cd7b6

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\em7.jmp

Filesize
784KB

MD5
8a4c09849291a01329f02f9f21e615b5

SHA1
41e5a8d2e2a9fca4b2707fba4ad5dd9714829766

SHA256
558626ea14fdad17fabe84d3cb0c03cfc82f1ffc3e47c6ec6372ec2f15122110

SHA512
dd5a4dcd9506df344c877d602c867b04738c61c24ab93d5c10c9d9f3ccf1174a8c312f517f43769a241fca6eeaf409bd919349fe793b6490877b691fd8264a93

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl

Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl

Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl

Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl

Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl

Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
memory/768-90-0x000000005FF40000-0x00000000601FD000-memory.dmp

Filesize
2.7MB

Download
memory/768-87-0x0000000000000000-mapping.dmp

Download
memory/1376-71-0x0000000000000000-mapping.dmp

Download
memory/1456-54-0x0000000000000000-mapping.dmp

Download
memory/1456-66-0x0000000005F20000-0x000000000602D000-memory.dmp

Filesize
1.1MB

Download
memory/1456-64-0x0000000005F20000-0x000000000602D000-memory.dmp

Filesize
1.1MB

Download
memory/1456-55-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1504-86-0x0000000000000000-mapping.dmp

Download
memory/1520-79-0x0000000000000000-mapping.dmp

Download
memory/1520-84-0x000000005FF40000-0x00000000601FD000-memory.dmp

Filesize
2.7MB

Download
memory/1712-58-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/1712-65-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/1712-73-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/1712-59-0x0000000008CA2744-mapping.dmp

Download
memory/1712-60-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/1712-56-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/1712-62-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/1840-77-0x0000000000000000-mapping.dmp

Download