087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

Analysis

max time kernel
174s
max time network
179s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Size

1.1MB
MD5

e00e791b11a45b14e9697634ec448b59
SHA1

d09ce3a226c5a75113768979f8b0d707886a9a7d
SHA256

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd
SHA512

f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257
SSDEEP

24576:pbCj2sObHtqQ4QETwiOVUYn6+GU/zjCHlifv6k:pbCjPKNqQ8wiA9F7Lak

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 27 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe\""	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner\\CCleaner.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Executes dropped EXE 31 IoCs

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exesysmon.exesysmon.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

pid	process
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1732	sysmon.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1652	sysmon.exe
1420	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1640	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2032	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1328	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
484	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1144	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1208	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1900	sysmon.exe
1640	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1144	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1568	sysmon.exe
1760	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1888	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1528	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1688	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1992	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
552	sysmon.exe
1664	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1888	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1172	sysmon.exe
836	sysmon.exe
1720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
768	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2096	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Loads dropped DLL 28 IoCs

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeWScript.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

pid	process
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1316	WScript.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
676	RegAsm.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1948	RegAsm.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1420	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1640	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2032	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1328	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
484	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1144	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1208	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1640	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1144	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1760	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1888	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1528	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1688	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1992	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1664	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1888	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
768	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
2096	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RUN	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\winupdate.lnk"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update\\boot.lnk,explorer.exe"	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Checks whether UAC is enabled 1 TTPs 25 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

AutoIT Executable 30 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe RegAsm.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	RegAsm.exe

Suspicious use of SetThreadContext 25 IoCs

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	pid	process	target process
PID 268 set thread context of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 set thread context of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 set thread context of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 524 set thread context of 980	524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1800 set thread context of 1008	1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1524 set thread context of 1252	1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1420 set thread context of 1888	1420	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1640 set thread context of 868	1640	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1328 set thread context of 684	1328	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2032 set thread context of 1560	2032	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 484 set thread context of 1420	484	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1144 set thread context of 740	1144	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1208 set thread context of 760	1208	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1144 set thread context of 1884	1144	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1640 set thread context of 980	1640	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1760 set thread context of 928	1760	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1528 set thread context of 896	1528	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1888 set thread context of 1544	1888	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1688 set thread context of 1740	1688	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1992 set thread context of 1756	1992	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1664 set thread context of 240	1664	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1888 set thread context of 1680	1888	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1720 set thread context of 1888	1720	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 768 set thread context of 2064	768	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 2096 set thread context of 2132	2096	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1800	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1524	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1420	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1420	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1420	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
1420	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 956 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

956 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	956	RegAsm.exe

pid	process
956	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeWScript.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exeRegAsm.exe087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

description	pid	process	target process
PID 1508 wrote to memory of 1316	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	WScript.exe
PID 1508 wrote to memory of 1316	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	WScript.exe
PID 1508 wrote to memory of 1316	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	WScript.exe
PID 1508 wrote to memory of 1316	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	WScript.exe
PID 1316 wrote to memory of 268	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 268	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 268	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 268	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 268 wrote to memory of 676	268	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1508 wrote to memory of 1948	1508	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1316 wrote to memory of 684	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 684	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 684	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 684	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 676 wrote to memory of 1732	676	RegAsm.exe	sysmon.exe
PID 676 wrote to memory of 1732	676	RegAsm.exe	sysmon.exe
PID 676 wrote to memory of 1732	676	RegAsm.exe	sysmon.exe
PID 676 wrote to memory of 1732	676	RegAsm.exe	sysmon.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 684 wrote to memory of 956	684	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe	RegAsm.exe
PID 1316 wrote to memory of 524	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 524	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 524	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 524	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 1800	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 1800	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 1800	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 1800	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 1524	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 1524	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 1524	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
PID 1316 wrote to memory of 1524	1316	WScript.exe	087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe

C:\Users\Admin\AppData\Local\Temp\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Local\Temp\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KFdKD.vbs" 0
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676

C:\ProgramData\710797\sysmon.exe
"C:\ProgramData\710797\sysmon.exe"
5⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:956

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:980

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1008

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1252

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1888

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:868

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1560

C:\ProgramData\710797\sysmon.exe
"C:\ProgramData\710797\sysmon.exe"
5⤵
- Executes dropped EXE
PID:1900

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:684

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1420

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:740

C:\ProgramData\710797\sysmon.exe
"C:\ProgramData\710797\sysmon.exe"
5⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:760

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:980

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1884

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:928

C:\ProgramData\710797\sysmon.exe
"C:\ProgramData\710797\sysmon.exe"
5⤵
- Executes dropped EXE
PID:552

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1544

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:896

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1740

C:\ProgramData\710797\sysmon.exe
"C:\ProgramData\710797\sysmon.exe"
5⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1756

C:\ProgramData\710797\sysmon.exe
"C:\ProgramData\710797\sysmon.exe"
5⤵
- Executes dropped EXE
PID:836

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:240

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1680

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1888

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:2064

C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
"C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Loads dropped DLL
PID:1948

C:\ProgramData\387872\sysmon.exe
"C:\ProgramData\387872\sysmon.exe"
3⤵
- Executes dropped EXE
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\387872\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\ProgramData\387872\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\ProgramData\710797\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\ProgramData\710797\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\ProgramData\710797\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\ProgramData\710797\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\ProgramData\710797\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\ProgramData\710797\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\ProgramData\710797\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KFdKD.vbs
Filesize
220B

MD5
bf97d1855681f2d320e75cd57a326c4c

SHA1
30067c154088e35e71acc396942ce511e3fead18

SHA256
f920c4d29e31489499b1b8df498342861e3f813cc2a3d389f80c12f143de4212

SHA512
93d2262ec2742a0003df176dc3d5b09ba433c231c373d9e1eae2a66cdc000c04e1148587674e49de9f241c85ebb77226c8c43c84d9943050933da353ebf030b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
28eb6def9307d18abaa0e4bbdfd16602

SHA1
68d23ffd5170b1077fd75495ced66f1b671d108d

SHA256
b80bfb505c71cc93ec0d5c787cb1ab8e16e6ba8d5e5056a0bdd9b007299c8b44

SHA512
d458056b26451a3420a6869129806c234a6b52aa4ca88946717d07aba35b945acaffa1c3f9c44469e36357059e56250d20593cade949fde2309d3e95e344bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
28eb6def9307d18abaa0e4bbdfd16602

SHA1
68d23ffd5170b1077fd75495ced66f1b671d108d

SHA256
b80bfb505c71cc93ec0d5c787cb1ab8e16e6ba8d5e5056a0bdd9b007299c8b44

SHA512
d458056b26451a3420a6869129806c234a6b52aa4ca88946717d07aba35b945acaffa1c3f9c44469e36357059e56250d20593cade949fde2309d3e95e344bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
28eb6def9307d18abaa0e4bbdfd16602

SHA1
68d23ffd5170b1077fd75495ced66f1b671d108d

SHA256
b80bfb505c71cc93ec0d5c787cb1ab8e16e6ba8d5e5056a0bdd9b007299c8b44

SHA512
d458056b26451a3420a6869129806c234a6b52aa4ca88946717d07aba35b945acaffa1c3f9c44469e36357059e56250d20593cade949fde2309d3e95e344bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
28eb6def9307d18abaa0e4bbdfd16602

SHA1
68d23ffd5170b1077fd75495ced66f1b671d108d

SHA256
b80bfb505c71cc93ec0d5c787cb1ab8e16e6ba8d5e5056a0bdd9b007299c8b44

SHA512
d458056b26451a3420a6869129806c234a6b52aa4ca88946717d07aba35b945acaffa1c3f9c44469e36357059e56250d20593cade949fde2309d3e95e344bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
28eb6def9307d18abaa0e4bbdfd16602

SHA1
68d23ffd5170b1077fd75495ced66f1b671d108d

SHA256
b80bfb505c71cc93ec0d5c787cb1ab8e16e6ba8d5e5056a0bdd9b007299c8b44

SHA512
d458056b26451a3420a6869129806c234a6b52aa4ca88946717d07aba35b945acaffa1c3f9c44469e36357059e56250d20593cade949fde2309d3e95e344bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
28eb6def9307d18abaa0e4bbdfd16602

SHA1
68d23ffd5170b1077fd75495ced66f1b671d108d

SHA256
b80bfb505c71cc93ec0d5c787cb1ab8e16e6ba8d5e5056a0bdd9b007299c8b44

SHA512
d458056b26451a3420a6869129806c234a6b52aa4ca88946717d07aba35b945acaffa1c3f9c44469e36357059e56250d20593cade949fde2309d3e95e344bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
Filesize
2KB

MD5
28eb6def9307d18abaa0e4bbdfd16602

SHA1
68d23ffd5170b1077fd75495ced66f1b671d108d

SHA256
b80bfb505c71cc93ec0d5c787cb1ab8e16e6ba8d5e5056a0bdd9b007299c8b44

SHA512
d458056b26451a3420a6869129806c234a6b52aa4ca88946717d07aba35b945acaffa1c3f9c44469e36357059e56250d20593cade949fde2309d3e95e344bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update\boot.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
C:\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\387872\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\ProgramData\710797\sysmon.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
\Users\Admin\AppData\Roaming\Sidebar\087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd.exe
Filesize
1.1MB

MD5
e00e791b11a45b14e9697634ec448b59

SHA1
d09ce3a226c5a75113768979f8b0d707886a9a7d

SHA256
087407f4b497df85d74e01f61a4ba180ee83976eabb0d8b24a3ddbabfb22a8fd

SHA512
f125c379bcd896b7b9f37ac84ff30d5e33159aadd1c0f9ee5f467ef20fcb6c7fb3e4f409bac3cf9e23eee76ad3a902dfcf3d566dcfd1c7fb0bf844091a262257

Download Submit
memory/240-432-0x000000000045CF0E-mapping.dmp

Download
memory/268-61-0x0000000000000000-mapping.dmp

Download
memory/484-246-0x0000000000000000-mapping.dmp

Download
memory/524-116-0x0000000000000000-mapping.dmp

Download
memory/552-408-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/552-406-0x0000000000000000-mapping.dmp

Download
memory/676-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/676-72-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/676-123-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/676-90-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/676-86-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/676-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/676-224-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/676-78-0x000000000045CF0E-mapping.dmp

Download
memory/676-76-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/684-254-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/684-233-0x000000000045CF0E-mapping.dmp

Download
memory/684-276-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/684-92-0x0000000000000000-mapping.dmp

Download
memory/740-270-0x000000000045CF0E-mapping.dmp

Download
memory/740-421-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/740-277-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/740-304-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/760-289-0x000000000045CF0E-mapping.dmp

Download
memory/768-457-0x0000000000000000-mapping.dmp

Download
memory/836-440-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/836-438-0x0000000000000000-mapping.dmp

Download
memory/868-204-0x000000000045CF0E-mapping.dmp

Download
memory/896-425-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/896-388-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/896-368-0x000000000045CF0E-mapping.dmp

Download
memory/928-339-0x000000000045CF0E-mapping.dmp

Download
memory/928-345-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/928-403-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/956-109-0x000000000045CF0E-mapping.dmp

Download
memory/956-115-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/956-150-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/980-221-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/980-318-0x000000000045CF0E-mapping.dmp

Download
memory/980-207-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/980-176-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/980-359-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/980-330-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/980-145-0x000000000045CF0E-mapping.dmp

Download
memory/1008-223-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-164-0x000000000045CF0E-mapping.dmp

Download
memory/1008-208-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-177-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1144-259-0x0000000000000000-mapping.dmp

Download
memory/1144-296-0x0000000000000000-mapping.dmp

Download
memory/1172-435-0x0000000000000000-mapping.dmp

Download
memory/1172-437-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-279-0x0000000000000000-mapping.dmp

Download
memory/1252-209-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1252-222-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1252-165-0x000000000045CF0E-mapping.dmp

Download
memory/1252-178-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-56-0x0000000000000000-mapping.dmp

Download
memory/1328-210-0x0000000000000000-mapping.dmp

Download
memory/1420-257-0x000000000045CF0E-mapping.dmp

Download
memory/1420-179-0x0000000000000000-mapping.dmp

Download
memory/1508-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1524-125-0x0000000000000000-mapping.dmp

Download
memory/1528-348-0x0000000000000000-mapping.dmp

Download
memory/1544-427-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1544-381-0x000000000045CF0E-mapping.dmp

Download
memory/1544-426-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1544-389-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-255-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-294-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-358-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-242-0x000000000045CF0E-mapping.dmp

Download
memory/1568-300-0x0000000000000000-mapping.dmp

Download
memory/1568-303-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-198-0x0000000000000000-mapping.dmp

Download
memory/1640-291-0x0000000000000000-mapping.dmp

Download
memory/1652-138-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-130-0x0000000000000000-mapping.dmp

Download
memory/1664-423-0x0000000000000000-mapping.dmp

Download
memory/1680-434-0x000000000045CF0E-mapping.dmp

Download
memory/1688-378-0x0000000000000000-mapping.dmp

Download
memory/1720-441-0x0000000000000000-mapping.dmp

Download
memory/1732-102-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1732-98-0x0000000000000000-mapping.dmp

Download
memory/1740-396-0x000000000045CF0E-mapping.dmp

Download
memory/1740-430-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1740-402-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-415-0x000000000045CF0E-mapping.dmp

Download
memory/1756-443-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-422-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1760-331-0x0000000000000000-mapping.dmp

Download
memory/1800-120-0x0000000000000000-mapping.dmp

Download
memory/1884-329-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-362-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-360-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-317-0x000000000045CF0E-mapping.dmp

Download
memory/1888-190-0x000000000045CF0E-mapping.dmp

Download
memory/1888-346-0x0000000000000000-mapping.dmp

Download
memory/1888-197-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-428-0x0000000000000000-mapping.dmp

Download
memory/1888-220-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-450-0x000000000045CF0E-mapping.dmp

Download
memory/1888-456-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-214-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-287-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-284-0x0000000000000000-mapping.dmp

Download
memory/1948-124-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1948-79-0x000000000045CF0E-mapping.dmp

Download
memory/1948-91-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-258-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-404-0x0000000000000000-mapping.dmp

Download
memory/2032-205-0x0000000000000000-mapping.dmp

Download
memory/2064-460-0x000000000045CF0E-mapping.dmp

Download
memory/2096-461-0x0000000000000000-mapping.dmp

Download
memory/2132-469-0x000000000045CF0E-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads