781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d

Analysis

max time kernel
263s
max time network
366s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
Size

188KB
MD5

37da63d529cca1505beb495f8cc250be
SHA1

7078c28f64d7769e44e85f02af6c2325ae783f14
SHA256

781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d
SHA512

f61a469720330f2da09449e4bae56309e5d816cb51931eb4688c54372ed2ccc59cc61c6155fbdf433701631fdab3591cc1a1b14ea388e07000c3dd5181eeb730
SSDEEP

3072:ADSqXYMdCrz72fm+0MSXAonqZ5kOrhWIj5MlUlhrj20Tb8v/Dl5:jsYMdGYhCqZ5nBP7qL/DP

Score

9^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 18 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b00000001233d-54.dat	acprotect
behavioral1/files/0x0008000000012731-59.dat	acprotect
behavioral1/files/0x00080000000130f3-60.dat	acprotect
behavioral1/files/0x00070000000131aa-76.dat	acprotect
behavioral1/files/0x00070000000132f4-82.dat	acprotect
behavioral1/files/0x000700000001313d-84.dat	acprotect
behavioral1/files/0x000700000001330d-86.dat	acprotect
behavioral1/files/0x00070000000133ac-87.dat	acprotect
behavioral1/files/0x0007000000013482-89.dat	acprotect
behavioral1/files/0x00070000000133e2-88.dat	acprotect
behavioral1/files/0x00070000000133f2-90.dat	acprotect
behavioral1/files/0x00070000000134e4-120.dat	acprotect
behavioral1/files/0x00070000000139ee-121.dat	acprotect
behavioral1/files/0x00070000000136d5-122.dat	acprotect
behavioral1/files/0x0007000000013a02-142.dat	acprotect
behavioral1/files/0x0007000000013a1e-143.dat	acprotect
behavioral1/files/0x0007000000013a0e-144.dat	acprotect
behavioral1/files/0x0007000000013a52-145.dat	acprotect

Loads dropped DLL 18 IoCs

pid	Process
1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5584	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5596	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5760	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5772	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5748	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5784	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5800	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5860	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5876	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5868	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
6112	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
6092	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
6104	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5616	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5692	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
1968	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5596	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avserve2.exe = "C:\\Windows\\avserve2.exe"	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\avserve2.exe	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
File opened for modification	C:\Windows\avserve2.exe	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5596	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5584	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5760	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5772	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5748	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5784	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5800	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5868	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5860	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5876	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
6112	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
6092	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
6104	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5616	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
1968	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5596	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
5692	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 5584	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	28
PID 1348 wrote to memory of 5584	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	28
PID 1348 wrote to memory of 5584	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	28
PID 1348 wrote to memory of 5584	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	28
PID 1348 wrote to memory of 5596	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	29
PID 1348 wrote to memory of 5596	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	29
PID 1348 wrote to memory of 5596	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	29
PID 1348 wrote to memory of 5596	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	29
PID 1348 wrote to memory of 5748	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	33
PID 1348 wrote to memory of 5748	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	33
PID 1348 wrote to memory of 5748	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	33
PID 1348 wrote to memory of 5748	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	33
PID 1348 wrote to memory of 5760	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	32
PID 1348 wrote to memory of 5760	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	32
PID 1348 wrote to memory of 5760	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	32
PID 1348 wrote to memory of 5760	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	32
PID 1348 wrote to memory of 5772	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	31
PID 1348 wrote to memory of 5772	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	31
PID 1348 wrote to memory of 5772	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	31
PID 1348 wrote to memory of 5772	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	31
PID 1348 wrote to memory of 5784	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	30
PID 1348 wrote to memory of 5784	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	30
PID 1348 wrote to memory of 5784	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	30
PID 1348 wrote to memory of 5784	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	30
PID 1348 wrote to memory of 5800	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	34
PID 1348 wrote to memory of 5800	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	34
PID 1348 wrote to memory of 5800	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	34
PID 1348 wrote to memory of 5800	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	34
PID 1348 wrote to memory of 5876	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	37
PID 1348 wrote to memory of 5876	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	37
PID 1348 wrote to memory of 5876	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	37
PID 1348 wrote to memory of 5876	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	37
PID 1348 wrote to memory of 5860	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	36
PID 1348 wrote to memory of 5860	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	36
PID 1348 wrote to memory of 5860	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	36
PID 1348 wrote to memory of 5860	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	36
PID 1348 wrote to memory of 5868	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	35
PID 1348 wrote to memory of 5868	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	35
PID 1348 wrote to memory of 5868	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	35
PID 1348 wrote to memory of 5868	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	35
PID 1348 wrote to memory of 6112	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	39
PID 1348 wrote to memory of 6112	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	39
PID 1348 wrote to memory of 6112	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	39
PID 1348 wrote to memory of 6112	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	39
PID 1348 wrote to memory of 6104	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	40
PID 1348 wrote to memory of 6104	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	40
PID 1348 wrote to memory of 6104	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	40
PID 1348 wrote to memory of 6104	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	40
PID 1348 wrote to memory of 6092	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	38
PID 1348 wrote to memory of 6092	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	38
PID 1348 wrote to memory of 6092	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	38
PID 1348 wrote to memory of 6092	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	38
PID 1348 wrote to memory of 5596	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	44
PID 1348 wrote to memory of 5596	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	44
PID 1348 wrote to memory of 5596	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	44
PID 1348 wrote to memory of 5596	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	44
PID 1348 wrote to memory of 5616	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	41
PID 1348 wrote to memory of 5616	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	41
PID 1348 wrote to memory of 5616	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	41
PID 1348 wrote to memory of 5616	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	41
PID 1348 wrote to memory of 5692	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	43
PID 1348 wrote to memory of 5692	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	43
PID 1348 wrote to memory of 5692	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	43
PID 1348 wrote to memory of 5692	1348	781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe	43

C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
"C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.80.89.235
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5584
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.134.111.136
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5596
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.4.243.158
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5784
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.51.169.113
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5772
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 172.65.121.18
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5760
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.141.138.67
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5748
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 191.61.214.178
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5800
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.6.117.239
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5868
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 38.63.69.106
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5860
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 202.221.199.58
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5876
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.95.147.0
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:6092
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.112.137.4
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:6112
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.48.88.112
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:6104
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.177.98.172
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5616
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.156.85.136
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 92.88.59.205
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5692
- C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe
  C:\Users\Admin\AppData\Local\Temp\781aa59da093cd6fa60179aba5022b8a17f6f38f696d025a7b2093d62bd8634d.exe 127.167.210.26
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cal11B.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\dpl9925.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\khl4F69.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\khl4F78.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\lwlE071.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\lwlFE9B.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\mel2981.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\mel3035.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\mhl4F78.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\mhl4F79.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\oel3035.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\tpl99C1.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\uslBAC8.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\vfl37D3.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\xblFE9.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\ybl2EFD.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\yylF3F1.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
\Users\Admin\AppData\Local\Temp\yylFE9.tmp

Filesize
172KB

MD5
d56644e70b4d968c755988e9c23750e1

SHA1
af29877e20055436512be6c615f4ca8a5cb129ac

SHA256
ff25f1e04c87400d9b25c82f15c5f93d76199d3949b73b29a82123ea0fb3a957

SHA512
ee722c3111745fc73a57151059a9c95fae71f5e604cd204f5e2cb44b5dd9084a292c9ef021a06785a735b553362fabe0c8835962f7feba048a3ddde07df93cb6

Download Submit
memory/1348-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1348-63-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1348-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1348-75-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1348-56-0x0000000000220000-0x0000000000293000-memory.dmp

Filesize
460KB

Download
memory/1348-133-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1348-141-0x0000000000220000-0x0000000000293000-memory.dmp

Filesize
460KB

Download
memory/1348-61-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1348-130-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1348-94-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/1348-93-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1348-132-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1348-131-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/1968-148-0x00000000002E0000-0x0000000000353000-memory.dmp

Filesize
460KB

Download
memory/5584-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5584-70-0x0000000000300000-0x0000000000373000-memory.dmp

Filesize
460KB

Download
memory/5584-65-0x0000000000300000-0x0000000000373000-memory.dmp

Filesize
460KB

Download
memory/5584-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5596-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5596-151-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/5596-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5596-66-0x00000000002E0000-0x0000000000353000-memory.dmp

Filesize
460KB

Download
memory/5596-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5596-68-0x00000000002E0000-0x0000000000353000-memory.dmp

Filesize
460KB

Download
memory/5596-149-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/5616-146-0x0000000000510000-0x0000000000583000-memory.dmp

Filesize
460KB

Download
memory/5616-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5692-147-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/5748-110-0x00000000002B0000-0x0000000000323000-memory.dmp

Filesize
460KB

Download
memory/5748-91-0x00000000002B0000-0x0000000000323000-memory.dmp

Filesize
460KB

Download
memory/5748-112-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5760-77-0x0000000000350000-0x00000000003C3000-memory.dmp

Filesize
460KB

Download
memory/5760-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5760-85-0x0000000000350000-0x00000000003C3000-memory.dmp

Filesize
460KB

Download
memory/5772-98-0x0000000000220000-0x0000000000293000-memory.dmp

Filesize
460KB

Download
memory/5772-107-0x0000000000220000-0x0000000000293000-memory.dmp

Filesize
460KB

Download
memory/5772-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5784-92-0x0000000000490000-0x0000000000503000-memory.dmp

Filesize
460KB

Download
memory/5784-111-0x0000000000490000-0x0000000000503000-memory.dmp

Filesize
460KB

Download
memory/5784-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5800-99-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/5800-104-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/5800-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5860-100-0x00000000002B0000-0x0000000000323000-memory.dmp

Filesize
460KB

Download
memory/5860-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5860-114-0x00000000002B0000-0x0000000000323000-memory.dmp

Filesize
460KB

Download
memory/5860-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5868-97-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5868-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5868-102-0x0000000000490000-0x0000000000503000-memory.dmp

Filesize
460KB

Download
memory/5868-108-0x0000000000490000-0x0000000000503000-memory.dmp

Filesize
460KB

Download
memory/5876-101-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download
memory/5876-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5876-116-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download
memory/5876-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6092-128-0x0000000000460000-0x00000000004D3000-memory.dmp

Filesize
460KB

Download
memory/6092-137-0x0000000000460000-0x00000000004D3000-memory.dmp

Filesize
460KB

Download
memory/6092-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6104-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6104-129-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/6104-136-0x0000000000310000-0x0000000000383000-memory.dmp

Filesize
460KB

Download
memory/6112-127-0x0000000000220000-0x0000000000293000-memory.dmp

Filesize
460KB

Download
memory/6112-139-0x0000000000220000-0x0000000000293000-memory.dmp

Filesize
460KB

Download
memory/6112-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download