lgoogloader | 5a6fcd8d7424e809ecba56916e4481fa47b86cd4f5e75248caee1028ff4b955c

Analysis

max time kernel
87s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b938ebdcbd1816155cdae3f5c344edc.exe
Size

101KB
MD5

6b938ebdcbd1816155cdae3f5c344edc
SHA1

703a0c0366f22cc4a226edbbb7e6b548e70bd116
SHA256

5a6fcd8d7424e809ecba56916e4481fa47b86cd4f5e75248caee1028ff4b955c
SHA512

f53202bcca4f30805634f1f8de6b6f9089bc2e18fca453ffab85f3351fcc343962774caac6abeb053c781c6e1740a860fff538a86fc1e8487d408242d6c73acb
SSDEEP

3072:KdhJVZbIUqVA1kLOnf9LGQGkyNgAJ9pZ+Gu:fn94tjtAJ9pZc

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/1284-146-0x0000000001320000-0x000000000132D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	6b938ebdcbd1816155cdae3f5c344edc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	6b938ebdcbd1816155cdae3f5c344edc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	6b938ebdcbd1816155cdae3f5c344edc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	6b938ebdcbd1816155cdae3f5c344edc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	6b938ebdcbd1816155cdae3f5c344edc.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe
1436	6b938ebdcbd1816155cdae3f5c344edc.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1436	6b938ebdcbd1816155cdae3f5c344edc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	6b938ebdcbd1816155cdae3f5c344edc.exe
Token: SeDebugPrivilege	1436	6b938ebdcbd1816155cdae3f5c344edc.exe
Token: SeLoadDriverPrivilege	1436	6b938ebdcbd1816155cdae3f5c344edc.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 3804	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	80
PID 1436 wrote to memory of 3804	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	80
PID 1436 wrote to memory of 3372	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	81
PID 1436 wrote to memory of 3372	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	81
PID 1436 wrote to memory of 4308	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	82
PID 1436 wrote to memory of 4308	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	82
PID 1436 wrote to memory of 4288	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	83
PID 1436 wrote to memory of 4288	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	83
PID 1436 wrote to memory of 4332	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	84
PID 1436 wrote to memory of 4332	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	84
PID 1436 wrote to memory of 4320	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	85
PID 1436 wrote to memory of 4320	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	85
PID 1436 wrote to memory of 5100	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	86
PID 1436 wrote to memory of 5100	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	86
PID 1436 wrote to memory of 4596	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	87
PID 1436 wrote to memory of 4596	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	87
PID 1436 wrote to memory of 3968	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	88
PID 1436 wrote to memory of 3968	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	88
PID 1436 wrote to memory of 1508	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	89
PID 1436 wrote to memory of 1508	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	89
PID 1436 wrote to memory of 1508	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	89
PID 1436 wrote to memory of 1500	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	90
PID 1436 wrote to memory of 1500	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	90
PID 1436 wrote to memory of 3580	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	91
PID 1436 wrote to memory of 3580	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	91
PID 1436 wrote to memory of 1288	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	92
PID 1436 wrote to memory of 1288	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	92
PID 1436 wrote to memory of 2184	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	93
PID 1436 wrote to memory of 2184	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	93
PID 1436 wrote to memory of 4216	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	94
PID 1436 wrote to memory of 4216	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	94
PID 1436 wrote to memory of 1528	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	95
PID 1436 wrote to memory of 1528	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	95
PID 1436 wrote to memory of 4980	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	96
PID 1436 wrote to memory of 4980	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	96
PID 1436 wrote to memory of 708	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	98
PID 1436 wrote to memory of 708	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	98
PID 1436 wrote to memory of 3468	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	99
PID 1436 wrote to memory of 3468	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	99
PID 1436 wrote to memory of 3364	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	100
PID 1436 wrote to memory of 3364	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	100
PID 1436 wrote to memory of 4592	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	101
PID 1436 wrote to memory of 4592	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	101
PID 1436 wrote to memory of 1176	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	102
PID 1436 wrote to memory of 1176	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	102
PID 1436 wrote to memory of 1692	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	103
PID 1436 wrote to memory of 1692	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	103
PID 1436 wrote to memory of 4228	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	104
PID 1436 wrote to memory of 4228	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	104
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105
PID 1436 wrote to memory of 1284	1436	6b938ebdcbd1816155cdae3f5c344edc.exe	105

C:\Users\Admin\AppData\Local\Temp\6b938ebdcbd1816155cdae3f5c344edc.exe
"C:\Users\Admin\AppData\Local\Temp\6b938ebdcbd1816155cdae3f5c344edc.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:3372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:4308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:4288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:4332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:4320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:5100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:4596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  PID:3580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:4216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:4980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:3364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:4592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:4228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-141-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1284-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1284-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1284-145-0x0000000001300000-0x0000000001309000-memory.dmp

Filesize
36KB

Download
memory/1284-146-0x0000000001320000-0x000000000132D000-memory.dmp

Filesize
52KB

Download
memory/1436-133-0x0000020CBC620000-0x0000020CBC63C000-memory.dmp

Filesize
112KB

Download
memory/1436-136-0x0000020CD6D70000-0x0000020CD6D80000-memory.dmp

Filesize
64KB

Download
memory/1436-139-0x0000020CD75B0000-0x0000020CD7AD8000-memory.dmp

Filesize
5.2MB

Download