Analysis
-
max time kernel
154s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Resource
win7-20220812-en
General
-
Target
a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
-
Size
1.5MB
-
MD5
fd3675162967550d15055b7e9ddccc25
-
SHA1
b0dcd0b5ebb171635dacb69951df5f85f2c47e61
-
SHA256
a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
-
SHA512
06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
SSDEEP
12288:FH7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QRT0ZOT0ZJT0ZtT0ZMyzKZyb:FbCj2sObHtqQ4QRv8Y/yzrv0B7ENVD
Malware Config
Extracted
nanocore
1.2.2.0
mercipotobibi.crabdance.com:1337
127.0.0.1:1337
4b98f790-ccc4-4487-85c9-732f0821a662
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-02-20T22:56:58.387589736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1337
-
default_group
Steven alexandrov
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4b98f790-ccc4-4487-85c9-732f0821a662
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
mercipotobibi.crabdance.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
Executes dropped EXE 24 IoCs
pid Process 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2000 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1160 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 788 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 916 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1812 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1724 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1500 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1696 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1624 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 556 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1488 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2024 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1576 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1348 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 300 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1700 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2008 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1036 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1608 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1380 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
Loads dropped DLL 26 IoCs
pid Process 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 940 WScript.exe 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2000 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1160 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 788 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 916 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1812 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1724 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1500 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1696 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1624 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 556 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1488 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2024 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1576 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1348 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 300 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1700 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2008 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1036 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1608 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1380 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
AutoIT Executable 36 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000800000001231a-55.dat autoit_exe behavioral1/files/0x000800000001231a-62.dat autoit_exe behavioral1/files/0x000800000001231a-60.dat autoit_exe behavioral1/files/0x000800000001231a-59.dat autoit_exe behavioral1/files/0x000800000001231a-64.dat autoit_exe behavioral1/files/0x000800000001231a-95.dat autoit_exe behavioral1/files/0x000800000001231a-97.dat autoit_exe behavioral1/files/0x000800000001231a-114.dat autoit_exe behavioral1/files/0x000800000001231a-116.dat autoit_exe behavioral1/files/0x000800000001231a-121.dat autoit_exe behavioral1/files/0x000800000001231a-123.dat autoit_exe behavioral1/files/0x000800000001231a-140.dat autoit_exe behavioral1/files/0x000800000001231a-143.dat autoit_exe behavioral1/files/0x000800000001231a-151.dat autoit_exe behavioral1/files/0x000800000001231a-153.dat autoit_exe behavioral1/files/0x000800000001231a-173.dat autoit_exe behavioral1/files/0x000800000001231a-176.dat autoit_exe behavioral1/files/0x000800000001231a-195.dat autoit_exe behavioral1/files/0x000800000001231a-197.dat autoit_exe behavioral1/files/0x000800000001231a-214.dat autoit_exe behavioral1/files/0x000800000001231a-218.dat autoit_exe behavioral1/files/0x000800000001231a-236.dat autoit_exe behavioral1/files/0x000800000001231a-238.dat autoit_exe behavioral1/files/0x000800000001231a-241.dat autoit_exe behavioral1/files/0x000800000001231a-243.dat autoit_exe behavioral1/files/0x000800000001231a-264.dat autoit_exe behavioral1/files/0x000800000001231a-266.dat autoit_exe behavioral1/files/0x000800000001231a-271.dat autoit_exe behavioral1/files/0x000800000001231a-287.dat autoit_exe behavioral1/files/0x000800000001231a-293.dat autoit_exe behavioral1/files/0x000800000001231a-295.dat autoit_exe behavioral1/files/0x000800000001231a-298.dat autoit_exe behavioral1/files/0x000800000001231a-327.dat autoit_exe behavioral1/files/0x000800000001231a-347.dat autoit_exe behavioral1/files/0x000800000001231a-350.dat autoit_exe behavioral1/files/0x000800000001231a-368.dat autoit_exe -
Suspicious use of SetThreadContext 24 IoCs
description pid Process procid_target PID 1852 set thread context of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 604 set thread context of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 360 set thread context of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 1520 set thread context of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 2000 set thread context of 816 2000 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 37 PID 1160 set thread context of 1628 1160 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 39 PID 788 set thread context of 1088 788 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 41 PID 916 set thread context of 952 916 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 43 PID 1812 set thread context of 584 1812 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 45 PID 1724 set thread context of 1264 1724 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 47 PID 1500 set thread context of 2000 1500 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 50 PID 1696 set thread context of 468 1696 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 51 PID 1624 set thread context of 360 1624 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 54 PID 556 set thread context of 968 556 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 58 PID 1488 set thread context of 1520 1488 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 57 PID 2024 set thread context of 1560 2024 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 59 PID 1576 set thread context of 1664 1576 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 61 PID 1348 set thread context of 1840 1348 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 63 PID 300 set thread context of 1052 300 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 65 PID 1700 set thread context of 1712 1700 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 67 PID 2008 set thread context of 360 2008 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 69 PID 604 set thread context of 1488 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 71 PID 1036 set thread context of 1240 1036 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 73 PID 1608 set thread context of 520 1608 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 75 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 2000 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2000 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2000 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2000 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2000 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1160 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1160 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1160 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1160 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1160 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 788 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 788 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 788 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 788 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 788 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 1000 RegSvcs.exe 916 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 916 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 916 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 916 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 916 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1812 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1812 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1812 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1812 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1812 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1724 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1724 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1724 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1724 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1724 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1000 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1000 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 940 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 28 PID 1852 wrote to memory of 940 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 28 PID 1852 wrote to memory of 940 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 28 PID 1852 wrote to memory of 940 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 28 PID 940 wrote to memory of 604 940 WScript.exe 29 PID 940 wrote to memory of 604 940 WScript.exe 29 PID 940 wrote to memory of 604 940 WScript.exe 29 PID 940 wrote to memory of 604 940 WScript.exe 29 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 1852 wrote to memory of 1000 1852 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 30 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 604 wrote to memory of 784 604 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 31 PID 940 wrote to memory of 360 940 WScript.exe 32 PID 940 wrote to memory of 360 940 WScript.exe 32 PID 940 wrote to memory of 360 940 WScript.exe 32 PID 940 wrote to memory of 360 940 WScript.exe 32 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 360 wrote to memory of 928 360 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 33 PID 940 wrote to memory of 1520 940 WScript.exe 34 PID 940 wrote to memory of 1520 940 WScript.exe 34 PID 940 wrote to memory of 1520 940 WScript.exe 34 PID 940 wrote to memory of 1520 940 WScript.exe 34 PID 1520 wrote to memory of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 1520 wrote to memory of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 1520 wrote to memory of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 1520 wrote to memory of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 1520 wrote to memory of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 1520 wrote to memory of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 1520 wrote to memory of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 1520 wrote to memory of 1788 1520 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 35 PID 940 wrote to memory of 2000 940 WScript.exe 36 PID 940 wrote to memory of 2000 940 WScript.exe 36 PID 940 wrote to memory of 2000 940 WScript.exe 36 PID 940 wrote to memory of 2000 940 WScript.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfcZa.vbs" 02⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:784
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:928
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1788
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:816
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1628
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:788 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1088
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:916 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:952
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:584
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1264
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1500 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:2000
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1696 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:468
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1624 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:360
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:556 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:968
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1488 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1520
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2024 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1560
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1576 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1664
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1348 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1840
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:300 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1052
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1712
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:360
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1488
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1240
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1608 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:520
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1380
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ab415bf1825c9042a9ea05dcde20a753
SHA1b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA5125610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37
-
Filesize
2KB
MD5ab415bf1825c9042a9ea05dcde20a753
SHA1b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA5125610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37
-
Filesize
2KB
MD5ab415bf1825c9042a9ea05dcde20a753
SHA1b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA5125610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37
-
Filesize
2KB
MD5ab415bf1825c9042a9ea05dcde20a753
SHA1b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA5125610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37
-
Filesize
2KB
MD5ab415bf1825c9042a9ea05dcde20a753
SHA1b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA5125610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37
-
Filesize
2KB
MD5ab415bf1825c9042a9ea05dcde20a753
SHA1b6fd6ce45d3d0e870310ffab8309d9f33907234f
SHA256be4f038fb4170d3d9ce1a244bad69305e32482684c9201fc0a7fdd483f3b2721
SHA5125610908d01accfe7fbc8f921d958dc8420f2550eac5b780d5dc47adf4c0bd491c8f113176f2d561ca267e3707d97c0bdaf0b201d2185e51b7e7228250dfa2c37
-
Filesize
2KB
MD5765ee1b400354c0c4952c0be768b99ff
SHA1abe7597458ab5b70e63c6f6ef80cf647979464e2
SHA2563769072c8bf980d4ce0f24788883d7e1e507a616812cf5da2bce31b151a46045
SHA5127bc9944427bebc5056779c6b17a43ba08606b816aff2432823a8fb74446d2d366e35d2aa562e855fbc06404ea0a4662e20266983902d28463743ddafc612a0a3
-
Filesize
220B
MD57665a54f8c588928a9858e293a55e1bd
SHA197903e2edafcb1ce04435bc83bfe16bcf38e64a2
SHA256c7fb59485d651db7826bcdc73036978b10007faa70f28010cd0125270d759bc0
SHA512f7f24b1f150fe43322232f93d414a19bd52f592cdfcaac2a07c1d18cdc739dd916035581827e9804aeff782edbb59f4ad9edcd85aff102ef35ce647c5da29cb3
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093