8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe
Size

96KB
MD5

d20c6603c7df1edbe7c413529f596b6b
SHA1

cb1ed94ec30c81eb6449bb1398ed209d1f157b7b
SHA256

8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0
SHA512

d2e938cefe20ac39906e41c8f105bcdafaf36b7ebd081923e15ba5fe4d211b70bb8fba01422cd94bb73aef8f8a5f886f75957a2ef593a3969f06837e0c99207b
SSDEEP

1536:cOVKb0aEvq2cONTnu3yShqMr+Wu+8v1HTJKqOT5:/VKb0aEvqsTnuphliJTJK5T5

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	rundll16.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe
2016	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systask = "C:\\Windows\\SysWOW64\\rundll16.exe"	rundll16.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll16.exe	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2016	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe
1696	rundll16.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1696	2016	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe	27
PID 2016 wrote to memory of 1696	2016	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe	27
PID 2016 wrote to memory of 1696	2016	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe	27
PID 2016 wrote to memory of 1696	2016	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe	27
PID 1696 wrote to memory of 1224	1696	rundll16.exe	28
PID 1696 wrote to memory of 1224	1696	rundll16.exe	28
PID 1696 wrote to memory of 1224	1696	rundll16.exe	28
PID 1696 wrote to memory of 1224	1696	rundll16.exe	28
PID 1224 wrote to memory of 1568	1224	net.exe	30
PID 1224 wrote to memory of 1568	1224	net.exe	30
PID 1224 wrote to memory of 1568	1224	net.exe	30
PID 1224 wrote to memory of 1568	1224	net.exe	30
PID 1696 wrote to memory of 1644	1696	rundll16.exe	31
PID 1696 wrote to memory of 1644	1696	rundll16.exe	31
PID 1696 wrote to memory of 1644	1696	rundll16.exe	31
PID 1696 wrote to memory of 1644	1696	rundll16.exe	31
PID 1644 wrote to memory of 952	1644	net.exe	33
PID 1644 wrote to memory of 952	1644	net.exe	33
PID 1644 wrote to memory of 952	1644	net.exe	33
PID 1644 wrote to memory of 952	1644	net.exe	33
PID 1696 wrote to memory of 1552	1696	rundll16.exe	34
PID 1696 wrote to memory of 1552	1696	rundll16.exe	34
PID 1696 wrote to memory of 1552	1696	rundll16.exe	34
PID 1696 wrote to memory of 1552	1696	rundll16.exe	34
PID 1552 wrote to memory of 468	1552	net.exe	36
PID 1552 wrote to memory of 468	1552	net.exe	36
PID 1552 wrote to memory of 468	1552	net.exe	36
PID 1552 wrote to memory of 468	1552	net.exe	36
PID 1696 wrote to memory of 684	1696	rundll16.exe	37
PID 1696 wrote to memory of 684	1696	rundll16.exe	37
PID 1696 wrote to memory of 684	1696	rundll16.exe	37
PID 1696 wrote to memory of 684	1696	rundll16.exe	37
PID 684 wrote to memory of 364	684	net.exe	39
PID 684 wrote to memory of 364	684	net.exe	39
PID 684 wrote to memory of 364	684	net.exe	39
PID 684 wrote to memory of 364	684	net.exe	39
PID 1696 wrote to memory of 892	1696	rundll16.exe	40
PID 1696 wrote to memory of 892	1696	rundll16.exe	40
PID 1696 wrote to memory of 892	1696	rundll16.exe	40
PID 1696 wrote to memory of 892	1696	rundll16.exe	40
PID 892 wrote to memory of 1560	892	net.exe	42
PID 892 wrote to memory of 1560	892	net.exe	42
PID 892 wrote to memory of 1560	892	net.exe	42
PID 892 wrote to memory of 1560	892	net.exe	42
PID 1696 wrote to memory of 928	1696	rundll16.exe	43
PID 1696 wrote to memory of 928	1696	rundll16.exe	43
PID 1696 wrote to memory of 928	1696	rundll16.exe	43
PID 1696 wrote to memory of 928	1696	rundll16.exe	43
PID 928 wrote to memory of 112	928	net.exe	45
PID 928 wrote to memory of 112	928	net.exe	45
PID 928 wrote to memory of 112	928	net.exe	45
PID 928 wrote to memory of 112	928	net.exe	45
PID 1696 wrote to memory of 820	1696	rundll16.exe	46
PID 1696 wrote to memory of 820	1696	rundll16.exe	46
PID 1696 wrote to memory of 820	1696	rundll16.exe	46
PID 1696 wrote to memory of 820	1696	rundll16.exe	46
PID 820 wrote to memory of 1824	820	net.exe	48
PID 820 wrote to memory of 1824	820	net.exe	48
PID 820 wrote to memory of 1824	820	net.exe	48
PID 820 wrote to memory of 1824	820	net.exe	48
PID 1696 wrote to memory of 1072	1696	rundll16.exe	49
PID 1696 wrote to memory of 1072	1696	rundll16.exe	49
PID 1696 wrote to memory of 1072	1696	rundll16.exe	49
PID 1696 wrote to memory of 1072	1696	rundll16.exe	49

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Classid = "masterrat666"	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe

C:\Users\Admin\AppData\Local\Temp\8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe
"C:\Users\Admin\AppData\Local\Temp\8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016
- C:\Windows\SysWOW64\rundll16.exe
  C:\Windows\system32/rundll16.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1568
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:952
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:468
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:364
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1560
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:112
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1824
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1900
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1036
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1484
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1280
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1016
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1428
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:896
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1768
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1352
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1264
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1792
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1556
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:856
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1312
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:324
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:860
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1248
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1880
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:952
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1652
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:692
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1264
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:392
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1152
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1012
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1724
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:552
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:796
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1484
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1440
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1200
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1764
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1248
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2040
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1620
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:316
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1772
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:764
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:268
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:820
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1900
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:856
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1360
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1280
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:560
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1496
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1076
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:896
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1532
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:972
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1540
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1352
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:684
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1868
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:532
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:928
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1320
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1912
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1904
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1748
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1484
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1440
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1324
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1944
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:568
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll16.exe

Filesize
40KB

MD5
d936d5e35a919168f13ce0ca617e5c36

SHA1
8124e44ecd5838dd5f65c88958f77eb2e7f6d2c2

SHA256
1cb7b32879a93fd2f27fd94d379bdbbbf393af08fb990423685f8ee42d6b5e41

SHA512
ddc55dee1e24759ef840406f3b382708208e7f663ed18c78d82e13ef6e5b97d0acdb1d21b92755e77452d336d1d446cbb2504a314193f060addbaf0dfcee7414

Download Submit
\Windows\SysWOW64\rundll16.exe

Filesize
40KB

MD5
d936d5e35a919168f13ce0ca617e5c36

SHA1
8124e44ecd5838dd5f65c88958f77eb2e7f6d2c2

SHA256
1cb7b32879a93fd2f27fd94d379bdbbbf393af08fb990423685f8ee42d6b5e41

SHA512
ddc55dee1e24759ef840406f3b382708208e7f663ed18c78d82e13ef6e5b97d0acdb1d21b92755e77452d336d1d446cbb2504a314193f060addbaf0dfcee7414

Download Submit
\Windows\SysWOW64\rundll16.exe

Filesize
40KB

MD5
d936d5e35a919168f13ce0ca617e5c36

SHA1
8124e44ecd5838dd5f65c88958f77eb2e7f6d2c2

SHA256
1cb7b32879a93fd2f27fd94d379bdbbbf393af08fb990423685f8ee42d6b5e41

SHA512
ddc55dee1e24759ef840406f3b382708208e7f663ed18c78d82e13ef6e5b97d0acdb1d21b92755e77452d336d1d446cbb2504a314193f060addbaf0dfcee7414

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads