dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Size

425KB
MD5

de8e739e054e0ee9cb3d6f803d957419
SHA1

12cdd7253215512183847ff8c7f7b17a7426c32c
SHA256

dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3
SHA512

09781fde0c514e0d16474e2e94c5f17db5e39b46d1a70653b89d3cc45310bf958c4258ea542148b13c977fffee54acde1048b26da643dc7a05f405db13858ec9
SSDEEP

12288:xCpSZaPeLADixs3Vj7YWOVNqN+sILUZGGQjQ:3gP2AGsFj7tOVNeILUZGGQj

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 25 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe msnmngr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgnr = "C:\\Windows\\system32\\msnmgnr.exe"	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 4784	1848	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	81
PID 1848 wrote to memory of 4784	1848	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	81
PID 1848 wrote to memory of 4784	1848	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	81
PID 4784 wrote to memory of 4864	4784	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	82
PID 4784 wrote to memory of 4864	4784	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	82
PID 4784 wrote to memory of 4864	4784	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	82
PID 4864 wrote to memory of 2972	4864	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	83
PID 4864 wrote to memory of 2972	4864	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	83
PID 4864 wrote to memory of 2972	4864	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	83
PID 2972 wrote to memory of 1492	2972	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	84
PID 2972 wrote to memory of 1492	2972	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	84
PID 2972 wrote to memory of 1492	2972	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	84
PID 1492 wrote to memory of 4564	1492	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	90
PID 1492 wrote to memory of 4564	1492	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	90
PID 1492 wrote to memory of 4564	1492	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	90
PID 4564 wrote to memory of 3816	4564	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	94
PID 4564 wrote to memory of 3816	4564	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	94
PID 4564 wrote to memory of 3816	4564	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	94
PID 3816 wrote to memory of 3512	3816	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	95
PID 3816 wrote to memory of 3512	3816	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	95
PID 3816 wrote to memory of 3512	3816	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	95
PID 3512 wrote to memory of 1788	3512	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	96
PID 3512 wrote to memory of 1788	3512	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	96
PID 3512 wrote to memory of 1788	3512	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	96
PID 1788 wrote to memory of 2348	1788	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	97
PID 1788 wrote to memory of 2348	1788	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	97
PID 1788 wrote to memory of 2348	1788	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	97
PID 2348 wrote to memory of 1164	2348	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	98
PID 2348 wrote to memory of 1164	2348	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	98
PID 2348 wrote to memory of 1164	2348	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	98
PID 1164 wrote to memory of 1040	1164	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	99
PID 1164 wrote to memory of 1040	1164	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	99
PID 1164 wrote to memory of 1040	1164	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	99
PID 1040 wrote to memory of 2368	1040	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	100
PID 1040 wrote to memory of 2368	1040	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	100
PID 1040 wrote to memory of 2368	1040	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	100
PID 2368 wrote to memory of 948	2368	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	101
PID 2368 wrote to memory of 948	2368	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	101
PID 2368 wrote to memory of 948	2368	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	101
PID 948 wrote to memory of 2356	948	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	102
PID 948 wrote to memory of 2356	948	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	102
PID 948 wrote to memory of 2356	948	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	102
PID 2356 wrote to memory of 912	2356	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	103
PID 2356 wrote to memory of 912	2356	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	103
PID 2356 wrote to memory of 912	2356	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	103
PID 912 wrote to memory of 476	912	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	104
PID 912 wrote to memory of 476	912	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	104
PID 912 wrote to memory of 476	912	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	104
PID 476 wrote to memory of 64	476	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	105
PID 476 wrote to memory of 64	476	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	105
PID 476 wrote to memory of 64	476	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	105
PID 64 wrote to memory of 3364	64	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	106
PID 64 wrote to memory of 3364	64	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	106
PID 64 wrote to memory of 3364	64	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	106
PID 3364 wrote to memory of 540	3364	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	107
PID 3364 wrote to memory of 540	3364	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	107
PID 3364 wrote to memory of 540	3364	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	107
PID 540 wrote to memory of 628	540	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	108
PID 540 wrote to memory of 628	540	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	108
PID 540 wrote to memory of 628	540	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	108
PID 628 wrote to memory of 992	628	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	109
PID 628 wrote to memory of 992	628	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	109
PID 628 wrote to memory of 992	628	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	109
PID 992 wrote to memory of 2328	992	dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe	110

C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
"C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
  C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
    C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
      C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        5⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        6⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        7⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        8⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        9⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        10⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        11⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        12⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        13⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        14⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        15⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        16⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        17⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        18⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        19⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        20⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        21⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        22⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        23⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        24⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\\dd2d6f1aa1f4020a4ab99788c989d4791a8ade596ebab31de0d1fd0d6116d7b3.exe
        25⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads