8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0

Analysis

max time kernel
175s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe
Size

96KB
MD5

d20c6603c7df1edbe7c413529f596b6b
SHA1

cb1ed94ec30c81eb6449bb1398ed209d1f157b7b
SHA256

8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0
SHA512

d2e938cefe20ac39906e41c8f105bcdafaf36b7ebd081923e15ba5fe4d211b70bb8fba01422cd94bb73aef8f8a5f886f75957a2ef593a3969f06837e0c99207b
SSDEEP

1536:cOVKb0aEvq2cONTnu3yShqMr+Wu+8v1HTJKqOT5:/VKb0aEvqsTnuphliJTJK5T5

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4712	rundll16.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\systask = "C:\\Windows\\SysWOW64\\rundll16.exe"	rundll16.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll16.exe	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2140	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe
4712	rundll16.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4712	2140	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe	81
PID 2140 wrote to memory of 4712	2140	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe	81
PID 2140 wrote to memory of 4712	2140	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe	81
PID 4712 wrote to memory of 2496	4712	rundll16.exe	83
PID 4712 wrote to memory of 2496	4712	rundll16.exe	83
PID 4712 wrote to memory of 2496	4712	rundll16.exe	83
PID 2496 wrote to memory of 4300	2496	net.exe	85
PID 2496 wrote to memory of 4300	2496	net.exe	85
PID 2496 wrote to memory of 4300	2496	net.exe	85
PID 4712 wrote to memory of 2760	4712	rundll16.exe	86
PID 4712 wrote to memory of 2760	4712	rundll16.exe	86
PID 4712 wrote to memory of 2760	4712	rundll16.exe	86
PID 2760 wrote to memory of 944	2760	net.exe	88
PID 2760 wrote to memory of 944	2760	net.exe	88
PID 2760 wrote to memory of 944	2760	net.exe	88
PID 4712 wrote to memory of 2768	4712	rundll16.exe	89
PID 4712 wrote to memory of 2768	4712	rundll16.exe	89
PID 4712 wrote to memory of 2768	4712	rundll16.exe	89
PID 2768 wrote to memory of 2136	2768	net.exe	91
PID 2768 wrote to memory of 2136	2768	net.exe	91
PID 2768 wrote to memory of 2136	2768	net.exe	91
PID 4712 wrote to memory of 3616	4712	rundll16.exe	92
PID 4712 wrote to memory of 3616	4712	rundll16.exe	92
PID 4712 wrote to memory of 3616	4712	rundll16.exe	92
PID 3616 wrote to memory of 3264	3616	net.exe	94
PID 3616 wrote to memory of 3264	3616	net.exe	94
PID 3616 wrote to memory of 3264	3616	net.exe	94
PID 4712 wrote to memory of 4716	4712	rundll16.exe	95
PID 4712 wrote to memory of 4716	4712	rundll16.exe	95
PID 4712 wrote to memory of 4716	4712	rundll16.exe	95
PID 4716 wrote to memory of 4168	4716	net.exe	97
PID 4716 wrote to memory of 4168	4716	net.exe	97
PID 4716 wrote to memory of 4168	4716	net.exe	97
PID 4712 wrote to memory of 4160	4712	rundll16.exe	98
PID 4712 wrote to memory of 4160	4712	rundll16.exe	98
PID 4712 wrote to memory of 4160	4712	rundll16.exe	98
PID 4160 wrote to memory of 1964	4160	net.exe	100
PID 4160 wrote to memory of 1964	4160	net.exe	100
PID 4160 wrote to memory of 1964	4160	net.exe	100
PID 4712 wrote to memory of 2944	4712	rundll16.exe	101
PID 4712 wrote to memory of 2944	4712	rundll16.exe	101
PID 4712 wrote to memory of 2944	4712	rundll16.exe	101
PID 2944 wrote to memory of 2656	2944	net.exe	103
PID 2944 wrote to memory of 2656	2944	net.exe	103
PID 2944 wrote to memory of 2656	2944	net.exe	103
PID 4712 wrote to memory of 4756	4712	rundll16.exe	104
PID 4712 wrote to memory of 4756	4712	rundll16.exe	104
PID 4712 wrote to memory of 4756	4712	rundll16.exe	104
PID 4756 wrote to memory of 5032	4756	net.exe	106
PID 4756 wrote to memory of 5032	4756	net.exe	106
PID 4756 wrote to memory of 5032	4756	net.exe	106
PID 4712 wrote to memory of 4944	4712	rundll16.exe	107
PID 4712 wrote to memory of 4944	4712	rundll16.exe	107
PID 4712 wrote to memory of 4944	4712	rundll16.exe	107
PID 4944 wrote to memory of 3344	4944	net.exe	109
PID 4944 wrote to memory of 3344	4944	net.exe	109
PID 4944 wrote to memory of 3344	4944	net.exe	109
PID 4712 wrote to memory of 1252	4712	rundll16.exe	110
PID 4712 wrote to memory of 1252	4712	rundll16.exe	110
PID 4712 wrote to memory of 1252	4712	rundll16.exe	110
PID 1252 wrote to memory of 3296	1252	net.exe	112
PID 1252 wrote to memory of 3296	1252	net.exe	112
PID 1252 wrote to memory of 3296	1252	net.exe	112
PID 4712 wrote to memory of 1984	4712	rundll16.exe	113

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Classid = "masterrat666"	8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe

C:\Users\Admin\AppData\Local\Temp\8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe
"C:\Users\Admin\AppData\Local\Temp\8cc6db4b6b198bfe130a4c07babd2831fc159b1fb71c3daa3433b75d24a95fb0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140
- C:\Windows\SysWOW64\rundll16.exe
  C:\Windows\system32/rundll16.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:944
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3264
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4168
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:5032
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3344
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3296
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4068
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4616
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4260
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4796
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1336
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4228
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2956
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4724
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3728
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4372
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3888
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3904
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4556
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:596
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4836
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:32
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:792
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3384
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3760
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4328
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3804
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1640
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:5028
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1456
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2308
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:504
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3848
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:800
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4308
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4216
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:5100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:112
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3148
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3272
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3476
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3760
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3844
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:5028
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:876
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4680
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4604
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4120
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3212
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3680
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3380
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3092
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1416
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3776
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1780
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4928
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4092
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2104
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1032
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1336
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1900
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4476
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4212
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1532
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4440
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1108
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4120
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3420
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4024
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3612
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4996
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1952
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4036
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4380
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3588
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3832
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2168
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1528
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4644
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1900
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1824
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2552
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3728
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2888
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4700
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2084
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4312
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4608
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4084
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4976
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:3992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:32
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:512
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2272
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1252
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4856
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1032
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:5040
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:1136
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:700
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:4316
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3428
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:2744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:2164
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3840
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:600
- - C:\Windows\SysWOW64\net.exe
    net stop "mcshield"
    3⤵
    PID:4060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "mcshield"
      4⤵
      PID:3276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll16.exe

Filesize
40KB

MD5
d936d5e35a919168f13ce0ca617e5c36

SHA1
8124e44ecd5838dd5f65c88958f77eb2e7f6d2c2

SHA256
1cb7b32879a93fd2f27fd94d379bdbbbf393af08fb990423685f8ee42d6b5e41

SHA512
ddc55dee1e24759ef840406f3b382708208e7f663ed18c78d82e13ef6e5b97d0acdb1d21b92755e77452d336d1d446cbb2504a314193f060addbaf0dfcee7414

Download Submit
C:\Windows\SysWOW64\rundll16.exe

Filesize
40KB

MD5
d936d5e35a919168f13ce0ca617e5c36

SHA1
8124e44ecd5838dd5f65c88958f77eb2e7f6d2c2

SHA256
1cb7b32879a93fd2f27fd94d379bdbbbf393af08fb990423685f8ee42d6b5e41

SHA512
ddc55dee1e24759ef840406f3b382708208e7f663ed18c78d82e13ef6e5b97d0acdb1d21b92755e77452d336d1d446cbb2504a314193f060addbaf0dfcee7414

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads