dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3

Analysis

max time kernel
151s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Size

425KB
MD5

de8e739e054e0ee9cb3d6f803d957419
SHA1

12cdd7253215512183847ff8c7f7b17a7426c32c
SHA256

dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3
SHA512

09781fde0c514e0d16474e2e94c5f17db5e39b46d1a70653b89d3cc45310bf958c4258ea542148b13c977fffee54acde1048b26da643dc7a05f405db13858ec9
SSDEEP

12288:xCpSZaPeLADixs3Vj7YWOVNqN+sILUZGGQjQ:3gP2AGsFj7tOVNeILUZGGQj

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 27 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1988	2028	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	28
PID 2028 wrote to memory of 1988	2028	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	28
PID 2028 wrote to memory of 1988	2028	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	28
PID 2028 wrote to memory of 1988	2028	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	28
PID 1988 wrote to memory of 1676	1988	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	29
PID 1988 wrote to memory of 1676	1988	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	29
PID 1988 wrote to memory of 1676	1988	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	29
PID 1988 wrote to memory of 1676	1988	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	29
PID 1676 wrote to memory of 1492	1676	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	30
PID 1676 wrote to memory of 1492	1676	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	30
PID 1676 wrote to memory of 1492	1676	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	30
PID 1676 wrote to memory of 1492	1676	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	30
PID 1492 wrote to memory of 380	1492	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	31
PID 1492 wrote to memory of 380	1492	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	31
PID 1492 wrote to memory of 380	1492	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	31
PID 1492 wrote to memory of 380	1492	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	31
PID 380 wrote to memory of 544	380	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	32
PID 380 wrote to memory of 544	380	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	32
PID 380 wrote to memory of 544	380	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	32
PID 380 wrote to memory of 544	380	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	32
PID 544 wrote to memory of 824	544	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	33
PID 544 wrote to memory of 824	544	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	33
PID 544 wrote to memory of 824	544	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	33
PID 544 wrote to memory of 824	544	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	33
PID 824 wrote to memory of 584	824	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	34
PID 824 wrote to memory of 584	824	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	34
PID 824 wrote to memory of 584	824	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	34
PID 824 wrote to memory of 584	824	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	34
PID 584 wrote to memory of 1168	584	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	35
PID 584 wrote to memory of 1168	584	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	35
PID 584 wrote to memory of 1168	584	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	35
PID 584 wrote to memory of 1168	584	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	35
PID 1168 wrote to memory of 1652	1168	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	36
PID 1168 wrote to memory of 1652	1168	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	36
PID 1168 wrote to memory of 1652	1168	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	36
PID 1168 wrote to memory of 1652	1168	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	36
PID 1652 wrote to memory of 1560	1652	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	37
PID 1652 wrote to memory of 1560	1652	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	37
PID 1652 wrote to memory of 1560	1652	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	37
PID 1652 wrote to memory of 1560	1652	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	37
PID 1560 wrote to memory of 2012	1560	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	38
PID 1560 wrote to memory of 2012	1560	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	38
PID 1560 wrote to memory of 2012	1560	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	38
PID 1560 wrote to memory of 2012	1560	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	38
PID 2012 wrote to memory of 900	2012	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	39
PID 2012 wrote to memory of 900	2012	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	39
PID 2012 wrote to memory of 900	2012	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	39
PID 2012 wrote to memory of 900	2012	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	39
PID 900 wrote to memory of 976	900	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	40
PID 900 wrote to memory of 976	900	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	40
PID 900 wrote to memory of 976	900	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	40
PID 900 wrote to memory of 976	900	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	40
PID 976 wrote to memory of 1828	976	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	41
PID 976 wrote to memory of 1828	976	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	41
PID 976 wrote to memory of 1828	976	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	41
PID 976 wrote to memory of 1828	976	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	41
PID 1828 wrote to memory of 1100	1828	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	42
PID 1828 wrote to memory of 1100	1828	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	42
PID 1828 wrote to memory of 1100	1828	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	42
PID 1828 wrote to memory of 1100	1828	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	42
PID 1100 wrote to memory of 1540	1100	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	43
PID 1100 wrote to memory of 1540	1100	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	43
PID 1100 wrote to memory of 1540	1100	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	43
PID 1100 wrote to memory of 1540	1100	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	43

C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
"C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
  C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
    C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
      C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        5⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:380
      - C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        6⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        7⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        8⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        9⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        10⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        11⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        12⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        13⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        14⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        15⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        16⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        17⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        18⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        19⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        20⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        21⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        22⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        23⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        24⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        25⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        26⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        27⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads