d433cd0ba6b6850a9f616b3b89754a005699547d4e04fadb75cade770156cfd1

Resubmissions

14/02/2025, 03:19

250214-dt85hazpgj 8

15/07/2024, 12:22

14/07/2024, 17:11

14/07/2024, 17:07

14/07/2024, 16:55

01/05/2024, 09:05

24/03/2023, 19:33

Analysis

max time kernel
319s
max time network
321s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
14/07/2024, 16:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Replace.exe
Size

34.8MB
MD5

fd5cd14325c51ecab6a57d1d665f8852
SHA1

ea16aa0f197210437733c63a42a8f1dd6442d753
SHA256

d433cd0ba6b6850a9f616b3b89754a005699547d4e04fadb75cade770156cfd1
SHA512

9a2e4c8baa01fbafe6968905daeb8d3b7eb62c09d1d7584e973ad1c23d964093e161a51a7390dfaa598d2657f45ca17bf00b5055aeaf0441f875ddb364741d71
SSDEEP

786432:i9hj60qHOBbQcVM3sct6C2ubdsUeGXV4yQnb+LQgRkrm12PYfrB:i9kH+o5sG2ysbhrmka

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	2404	rundll32.exe
25	3580	rundll32.exe
26	2040	rundll32.exe
27	2092	rundll32.exe
33	3976	rundll32.exe

Executes dropped EXE 18 IoCs

pid	Process
4268	run.exe
1648	run.exe
1476	run.exe
1460	run.exe
3988	run.exe
4940	run.exe
2172	run.exe
1740	run.exe
2500	run.exe
3544	run.exe
4668	run.exe
2800	run.exe
4224	run.exe
1444	run.exe
4248	run.exe
232	run.exe
2808	run.exe
4560	run.exe

Loads dropped DLL 18 IoCs

pid	Process
2404	rundll32.exe
3580	rundll32.exe
2040	rundll32.exe
2092	rundll32.exe
3976	rundll32.exe
2356	rundll32.exe
2684	rundll32.exe
3468	rundll32.exe
4304	rundll32.exe
5020	rundll32.exe
4908	rundll32.exe
1512	rundll32.exe
1708	rundll32.exe
5028	rundll32.exe
616	rundll32.exe
440	rundll32.exe
2712	rundll32.exe
4060	rundll32.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc7F1F.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscFA99.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc32CE.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscF68B.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc310F.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc304D.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc8BF5.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscE45.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc7D20.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc6C62.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc90C6.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc78EF.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc4FD7.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscD0E3.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscAB64.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc2522.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc424F.tmp\",Start verpostfix=bt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc619E.tmp\",Start verpostfix=bt"	rundll32.exe

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240620625	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240877750	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240727703	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240745062	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240769109	run.exe
File opened for modification	C:\Program Files\Image-Line	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240740234	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240857734	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240800234	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240848828	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240872906	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240736890	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240812359	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240909359	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240777218	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240823531	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240724968	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240815453	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240726890	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "198"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2404	rundll32.exe
2404	rundll32.exe
3580	rundll32.exe
3580	rundll32.exe
2040	rundll32.exe
2040	rundll32.exe
2092	rundll32.exe
2092	rundll32.exe
3976	rundll32.exe
3976	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
2684	rundll32.exe
2684	rundll32.exe
3468	rundll32.exe
3468	rundll32.exe
4304	rundll32.exe
4304	rundll32.exe
5020	rundll32.exe
5020	rundll32.exe
4908	rundll32.exe
4908	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
5028	rundll32.exe
5028	rundll32.exe
616	rundll32.exe
616	rundll32.exe
440	rundll32.exe
440	rundll32.exe
2712	rundll32.exe
2712	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3124	LogonUI.exe
3124	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2404	4144	Replace.exe	79
PID 4144 wrote to memory of 2404	4144	Replace.exe	79
PID 4144 wrote to memory of 2404	4144	Replace.exe	79
PID 4144 wrote to memory of 4268	4144	Replace.exe	80
PID 4144 wrote to memory of 4268	4144	Replace.exe	80
PID 1124 wrote to memory of 3580	1124	Replace.exe	104
PID 1124 wrote to memory of 3580	1124	Replace.exe	104
PID 1124 wrote to memory of 3580	1124	Replace.exe	104
PID 1124 wrote to memory of 1648	1124	Replace.exe	105
PID 1124 wrote to memory of 1648	1124	Replace.exe	105
PID 2496 wrote to memory of 2040	2496	Replace.exe	107
PID 2496 wrote to memory of 2040	2496	Replace.exe	107
PID 2496 wrote to memory of 2040	2496	Replace.exe	107
PID 2496 wrote to memory of 1476	2496	Replace.exe	108
PID 2496 wrote to memory of 1476	2496	Replace.exe	108
PID 4976 wrote to memory of 2092	4976	Replace.exe	110
PID 4976 wrote to memory of 2092	4976	Replace.exe	110
PID 4976 wrote to memory of 2092	4976	Replace.exe	110
PID 4976 wrote to memory of 1460	4976	Replace.exe	111
PID 4976 wrote to memory of 1460	4976	Replace.exe	111
PID 1536 wrote to memory of 3976	1536	Replace.exe	113
PID 1536 wrote to memory of 3976	1536	Replace.exe	113
PID 1536 wrote to memory of 3976	1536	Replace.exe	113
PID 1536 wrote to memory of 3988	1536	Replace.exe	114
PID 1536 wrote to memory of 3988	1536	Replace.exe	114
PID 1808 wrote to memory of 2356	1808	Replace.exe	117
PID 1808 wrote to memory of 2356	1808	Replace.exe	117
PID 1808 wrote to memory of 2356	1808	Replace.exe	117
PID 1808 wrote to memory of 4940	1808	Replace.exe	118
PID 1808 wrote to memory of 4940	1808	Replace.exe	118
PID 2196 wrote to memory of 2684	2196	Replace.exe	120
PID 2196 wrote to memory of 2684	2196	Replace.exe	120
PID 2196 wrote to memory of 2684	2196	Replace.exe	120
PID 2196 wrote to memory of 2172	2196	Replace.exe	121
PID 2196 wrote to memory of 2172	2196	Replace.exe	121
PID 5100 wrote to memory of 3468	5100	Replace.exe	123
PID 5100 wrote to memory of 3468	5100	Replace.exe	123
PID 5100 wrote to memory of 3468	5100	Replace.exe	123
PID 5100 wrote to memory of 1740	5100	Replace.exe	124
PID 5100 wrote to memory of 1740	5100	Replace.exe	124
PID 3972 wrote to memory of 4304	3972	Replace.exe	126
PID 3972 wrote to memory of 4304	3972	Replace.exe	126
PID 3972 wrote to memory of 4304	3972	Replace.exe	126
PID 3972 wrote to memory of 2500	3972	Replace.exe	127
PID 3972 wrote to memory of 2500	3972	Replace.exe	127
PID 4840 wrote to memory of 5020	4840	Replace.exe	129
PID 4840 wrote to memory of 5020	4840	Replace.exe	129
PID 4840 wrote to memory of 5020	4840	Replace.exe	129
PID 4840 wrote to memory of 3544	4840	Replace.exe	130
PID 4840 wrote to memory of 3544	4840	Replace.exe	130
PID 4944 wrote to memory of 4908	4944	Replace.exe	132
PID 4944 wrote to memory of 4908	4944	Replace.exe	132
PID 4944 wrote to memory of 4908	4944	Replace.exe	132
PID 4944 wrote to memory of 4668	4944	Replace.exe	133
PID 4944 wrote to memory of 4668	4944	Replace.exe	133
PID 3296 wrote to memory of 1512	3296	Replace.exe	135
PID 3296 wrote to memory of 1512	3296	Replace.exe	135
PID 3296 wrote to memory of 1512	3296	Replace.exe	135
PID 3296 wrote to memory of 2800	3296	Replace.exe	136
PID 3296 wrote to memory of 2800	3296	Replace.exe	136
PID 4768 wrote to memory of 1708	4768	Replace.exe	138
PID 4768 wrote to memory of 1708	4768	Replace.exe	138
PID 4768 wrote to memory of 1708	4768	Replace.exe	138
PID 4768 wrote to memory of 4224	4768	Replace.exe	139

C:\Users\Admin\AppData\Local\Temp\Replace.exe
"C:\Users\Admin\AppData\Local\Temp\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc90C6.tmp",Start verpostfix=bt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\7zS0306E4B7\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1824

C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_a92436e98f43ccd7\replace.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_a92436e98f43ccd7\replace.exe"
1⤵
PID:2548

C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_a92436e98f43ccd7\replace.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_a92436e98f43ccd7\replace.exe"
1⤵
PID:2288

C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_a92436e98f43ccd7\replace.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_a92436e98f43ccd7\replace.exe"
1⤵
PID:1280

C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_9ecf8c975ae30adc\replace.exe
"C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_9ecf8c975ae30adc\replace.exe"
1⤵
PID:3468

C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_9ecf8c975ae30adc\replace.exe
"C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_9ecf8c975ae30adc\replace.exe"
1⤵
PID:1740

C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_a92436e98f43ccd7\replace.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_a92436e98f43ccd7\replace.exe"
1⤵
PID:3292

C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_9ecf8c975ae30adc\replace.exe
"C:\Windows\WinSxS\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_9ecf8c975ae30adc\replace.exe"
1⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\Replace.exe
"C:\Users\Admin\AppData\Local\Temp\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc2522.tmp",Start verpostfix=bt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\7zS4642FA69\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1648

C:\Users\Admin\AppData\Local\Temp\Replace.exe
"C:\Users\Admin\AppData\Local\Temp\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc304D.tmp",Start verpostfix=bt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\7zS0C9D8139\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1476

C:\Users\Admin\AppData\Local\Temp\Replace.exe
"C:\Users\Admin\AppData\Local\Temp\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc32CE.tmp",Start verpostfix=bt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\7zS073F7229\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1460

C:\Users\Admin\AppData\Local\Temp\Replace.exe
"C:\Users\Admin\AppData\Local\Temp\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc424F.tmp",Start verpostfix=bt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\7zS006F1669\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3988

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc619E.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\7zS017E4849\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4940

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc78EF.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\7zS498F1C59\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2172

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wscD0E3.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\7zSCE32D799\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1740

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wscF68B.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Users\Admin\AppData\Local\Temp\7zS48FB98E9\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2500

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc4FD7.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\7zS8E26530A\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3544

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc7D20.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\7zS05310D7A\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4668

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc8BF5.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\Users\Admin\AppData\Local\Temp\7zS0EC555AA\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2800

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wscAB64.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\7zS0A25FA9A\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4224

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
PID:4088
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wscE45.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\7zS8FF5900B\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1444

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
PID:2676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc310F.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:616
- C:\Users\Admin\AppData\Local\Temp\7zS47AF5B3B\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4248

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
PID:1076
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc6C62.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:440
- C:\Users\Admin\AppData\Local\Temp\7zS4342932B\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:232

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
PID:3208
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc7F1F.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\7zS88CF1A5B\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2808

C:\Users\Admin\Desktop\Replace.exe
"C:\Users\Admin\Desktop\Replace.exe"
1⤵
PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wscFA99.tmp",Start verpostfix=bt
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Users\Admin\AppData\Local\Temp\7zSCDA9B0BB\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c7855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Image-Line\FL Studio 20\FL64.exe

Filesize
287KB

MD5
8d4aee53f9d6ea4a47dc73edd78dcef0

SHA1
4d12d67edd64877831dea463ce67c42ebca6e0ae

SHA256
6cfc98d1ffcdb983e64beac75ccde7d873e3c41fffde2f4d87dd0757eb5a620d

SHA512
54eaa03f18bccaddb04a8dd7127f1e9ce8eefaf1141e3b8684e7f6bbdcc45aa60aa276467f1df9bd361d0ac8c8de398959be18bf2e387dce34550716e44599ec

Download Submit
C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll

Filesize
48.5MB

MD5
ebe013331393c140ed250cd8d8d76d23

SHA1
6d50b4ee2ce1654f37f6aff258907d933c23e826

SHA256
ee8df6fb76467b44a3221d2a411da13cea1fb8f7deb714fba14263690532a17b

SHA512
47b5d7d83b6624bf5959957e47d0bb030c9575c7e55bda8868cd79fae3d4e24ae99a490b0f2e763871dca77c3dc32144e37925d910e04e080f6d42d985e6bd3e

Download Submit
C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll

Filesize
48.5MB

MD5
c9643940bf00a8bb87ff406151b5d4c2

SHA1
52af6091e0f75433286c2a99a389d13be4482e59

SHA256
b9f7423e506c72f603f734fcfa2579da07a906ab6403ec02223cde0d02f81fc5

SHA512
f80a86871c9a6521d2ae280fcebac57a299b6ba49aa355d50055178455a13db0cd55b78250ba6bdfb55b479d567ffabf812b4d47d4c91898cb069610e081d8f4

Download Submit
C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll

Filesize
48.5MB

MD5
fb2c6e793d6b6c88d34a9272a9d5c572

SHA1
1315f9713f52f3f9f4dc4c3cacf2ccf5bf48fac5

SHA256
3449b21088fd7b6162087b945197b0c7998b7c3bd95478c4e420900d991b5cce

SHA512
2ea46eb6287b4d591d5c09087bb42577fa98887e8fa373679b05e42a72f9a880aec444499b6c9d72d4e0b207adf9a5e4d4ed07182b2a267d53bafda55b7ab8dd

Download Submit
C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll

Filesize
48.5MB

MD5
84910af8ce7ca7579435f1e3ec3bf646

SHA1
bbfd7981a4f9c127a87407b4e605a55060e345f1

SHA256
1380160c6176fcab0fe4c2b87930f0f9dd9783d0eea28359ae93693b02a4e7d6

SHA512
a9b276cbd4822a87f12906a1f495468ba6943a6a96ad8db720c7edce675c488bfbc4261e214a6fd2d27b6485a2fc3114ff7e30eec1d66812202d6d2f6f0b2bdc

Download Submit
C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll

Filesize
48.5MB

MD5
93e37eb1c6ec1d6e660f95bf85103fa2

SHA1
51f5e64862cf16d30a0f96c09445a1e36edeee80

SHA256
8404e26da024d9c59a1c597c9177db2b7b6a4bfe176b606dd78c9bb86cc28ee1

SHA512
32fb6ece1d249a8fca9e3d73a30019cf3eab990103ce93772abae539fd198980bb998d28c5f327f51b83938743dd216b237d5d7e3d5ea65e8688316405db0765

Download Submit
C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll

Filesize
48.5MB

MD5
e577ef3cfadbb80c6af8f37bf6e62f70

SHA1
c27f57e17539f09cec7b47c223dfa8ea54b851fe

SHA256
60392a436109f0b236c2b26ccaf677f3e0e0bd338aec35a6495c0a25f73e3f15

SHA512
a1fa8bb2e148e76e2ccedfed94d8c93841e086821fe258adb931f12a1685bf2f5b5a9a131aece81b18441fdb48112c5f5c914e49a8c689138333ff0c427bca49

Download Submit
C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll

Filesize
48.5MB

MD5
0dc98879b28b2a3d3a979ca8815f47a6

SHA1
1e80b69d7a63d53578874fd0e6216d1d428b8115

SHA256
a94e49295ab469f80e8396d432c8ef7b9ef4da7bacec9d837e7ecae5921c1008

SHA512
e128aee4dfaedf49552496cc39f645c494bab1e9a6ead1d9c65bae5311e03a8e891c3f9f45cf14c77e8f5199075b77d7711a41fd6fdc61172dcd22f113cb4f9a

Download Submit
C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll

Filesize
48.5MB

MD5
0f4f986b23fe9e93fe17dbf42730875c

SHA1
405209c4f3c18f96807c85d703283434451ecf52

SHA256
4d04ded4fdbc3bff62c7c0ead6ac7d85295dabe1e21b6a12d82f54bd8aad6f8e

SHA512
0edae6b788e564605068debcf5e404c5521f8c26d6a7baacf5018383f42af1f027e2fe6ca8c379c7b567399093b38054c6ce6c7acf50afeb6f3c14d2c874c9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0306E4B7\run.exe

Filesize
34.8MB

MD5
d77c3ef3efa7e38ef91137466eee801b

SHA1
0b6ce4b03f43c2a7290f95bfbbe9107298efeaef

SHA256
91c2295f354b0616aa6481708248f6ce35dbe9292901464fc6bf3a22522ccb2f

SHA512
7c0171509814f7e5f24b2a9d53a10ab282586ec56bcdedc2deb2ba1aa2b4d9edade6d6d753ca80fb65d147597bfd4ac9f30e330e88c695e72c913ff3ab224750

Download Submit
C:\Users\Admin\AppData\Local\Temp\wns4398.tmp

Filesize
564B

MD5
5da4c1420f84ec727d1b6bdd0d46e62e

SHA1
280d08d142f7386283f420444ec48e1cdbfd61bb

SHA256
3c8cc37a98346bd0123b35e5ccd87bd07d69914dae04f8b49f61c150d96e9d1f

SHA512
7c51a628831d0236e8d314c71732b8a62e06334431d10f7c293c49b23665b2a6a1ddbc4772009010955b5228ea4a5cd97fb93581ce391ee1792e8a198b76111a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsc90C6.tmp

Filesize
6KB

MD5
41e689a7859429d628c34a82bcbb1187

SHA1
f435c4225fc00b3ce4543b812731a65d3722bdc3

SHA256
252dd587c652e9939432bd8b5574590c4a8db64660bc753f5490a472703f5c3a

SHA512
6a8f76f4d2eeb78df1c48f43c8d31f4510f2ba8da71fbb93d88627eba5f4cc74eb9aa12b7688d7fb62ed938fe2ac15bd2c060d6ad90e5b2c61114f74fcecec85

Download Submit
memory/1536-65-0x0000000000290000-0x00000000002DE000-memory.dmp

Filesize
312KB

Download
memory/4976-74-0x0000000000290000-0x00000000002DE000-memory.dmp

Filesize
312KB

Download
memory/4976-97-0x0000000000290000-0x00000000002DE000-memory.dmp

Filesize
312KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads