Analysis Overview
SHA256
fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55
Threat Level: Known bad
The file fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55 was found to be: Known bad.
Malicious Activity Summary
Hawkeye_reborn family
Sets file execution options in registry
Looks up external IP address via web service
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 07:40
Signatures
Hawkeye_reborn family
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 07:40
Reported
2022-06-25 09:09
Platform
win7-20220414-en
Max time kernel
23s
Max time network
46s
Command Line
Signatures
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
"C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/1348-54-0x0000000076531000-0x0000000076533000-memory.dmp
memory/1348-55-0x0000000074AE0000-0x000000007508B000-memory.dmp
memory/1348-56-0x0000000074AE0000-0x000000007508B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 07:40
Reported
2022-06-25 09:09
Platform
win10v2004-20220414-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
"C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.192:80 | tcp | |
| NL | 88.221.144.192:80 | tcp | |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
Files
memory/4876-130-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/4876-131-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/4876-132-0x0000000074C10000-0x00000000751C1000-memory.dmp