Analysis
-
max time kernel
176s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Resource
win7-20220812-en
General
-
Target
a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
-
Size
1.5MB
-
MD5
fd3675162967550d15055b7e9ddccc25
-
SHA1
b0dcd0b5ebb171635dacb69951df5f85f2c47e61
-
SHA256
a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
-
SHA512
06fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
SSDEEP
12288:FH7Wcjdc/r2sxxiPGGAOOPSXDV8ClgVYhX5FSsf8QRT0ZOT0ZJT0ZtT0ZMyzKZyb:FbCj2sObHtqQ4QRv8Y/yzrv0B7ENVD
Malware Config
Extracted
nanocore
1.2.2.0
mercipotobibi.crabdance.com:1337
127.0.0.1:1337
4b98f790-ccc4-4487-85c9-732f0821a662
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-02-20T22:56:58.387589736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1337
-
default_group
Steven alexandrov
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4b98f790-ccc4-4487-85c9-732f0821a662
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
mercipotobibi.crabdance.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\Userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Maintenance\\WinData.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
Executes dropped EXE 26 IoCs
pid Process 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 3536 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4308 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2272 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 416 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 3772 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4208 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 652 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2328 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1268 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2084 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4288 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 3332 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5016 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4912 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1704 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 240 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2288 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 3540 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4640 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 3620 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4448 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Corporation = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ind\\boot.lnk,explorer.exe" a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
AutoIT Executable 23 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000022e56-134.dat autoit_exe behavioral2/files/0x0008000000022e56-136.dat autoit_exe behavioral2/files/0x0008000000022e56-143.dat autoit_exe behavioral2/files/0x0008000000022e56-151.dat autoit_exe behavioral2/files/0x0008000000022e56-159.dat autoit_exe behavioral2/files/0x0008000000022e56-166.dat autoit_exe behavioral2/files/0x0008000000022e56-173.dat autoit_exe behavioral2/files/0x0008000000022e56-180.dat autoit_exe behavioral2/files/0x0008000000022e56-187.dat autoit_exe behavioral2/files/0x0008000000022e56-194.dat autoit_exe behavioral2/files/0x0008000000022e56-201.dat autoit_exe behavioral2/files/0x0008000000022e56-203.dat autoit_exe behavioral2/files/0x0008000000022e56-213.dat autoit_exe behavioral2/files/0x0008000000022e56-220.dat autoit_exe behavioral2/files/0x0008000000022e56-226.dat autoit_exe behavioral2/files/0x0008000000022e56-228.dat autoit_exe behavioral2/files/0x0008000000022e56-235.dat autoit_exe behavioral2/files/0x0008000000022e56-243.dat autoit_exe behavioral2/files/0x0008000000022e56-252.dat autoit_exe behavioral2/files/0x0008000000022e56-258.dat autoit_exe behavioral2/files/0x0008000000022e56-265.dat autoit_exe behavioral2/files/0x0008000000022e56-272.dat autoit_exe behavioral2/files/0x0008000000022e56-277.dat autoit_exe -
Suspicious use of SetThreadContext 26 IoCs
description pid Process procid_target PID 5012 set thread context of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 4964 set thread context of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 1744 set thread context of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 2464 set thread context of 1120 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 88 PID 4100 set thread context of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 1532 set thread context of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 3536 set thread context of 3672 3536 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 97 PID 4308 set thread context of 2284 4308 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 99 PID 2272 set thread context of 4712 2272 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 101 PID 416 set thread context of 1540 416 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 103 PID 3772 set thread context of 4124 3772 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 106 PID 4208 set thread context of 3416 4208 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 107 PID 652 set thread context of 3448 652 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 110 PID 2328 set thread context of 3980 2328 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 113 PID 2084 set thread context of 3780 2084 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 117 PID 1268 set thread context of 2820 1268 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 118 PID 4288 set thread context of 4072 4288 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 120 PID 3332 set thread context of 2212 3332 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 122 PID 5016 set thread context of 4860 5016 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 127 PID 4912 set thread context of 228 4912 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 129 PID 1704 set thread context of 4688 1704 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 131 PID 240 set thread context of 4572 240 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 135 PID 2288 set thread context of 3512 2288 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 139 PID 3540 set thread context of 4996 3540 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 144 PID 4640 set thread context of 4356 4640 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 147 PID 3620 set thread context of 1612 3620 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 152 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
pid pid_target Process procid_target 948 1120 WerFault.exe 88 2660 3416 WerFault.exe 107 5072 4688 WerFault.exe 131 2032 4572 WerFault.exe 135 1764 3512 WerFault.exe 139 4108 4356 WerFault.exe 147 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2476 RegSvcs.exe 2476 RegSvcs.exe 2476 RegSvcs.exe 2476 RegSvcs.exe 2476 RegSvcs.exe 2476 RegSvcs.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 2476 RegSvcs.exe 2476 RegSvcs.exe 2476 RegSvcs.exe 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2476 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2476 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5012 wrote to memory of 4868 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 81 PID 5012 wrote to memory of 4868 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 81 PID 5012 wrote to memory of 4868 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 81 PID 4868 wrote to memory of 4964 4868 WScript.exe 82 PID 4868 wrote to memory of 4964 4868 WScript.exe 82 PID 4868 wrote to memory of 4964 4868 WScript.exe 82 PID 5012 wrote to memory of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 5012 wrote to memory of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 5012 wrote to memory of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 5012 wrote to memory of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 5012 wrote to memory of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 5012 wrote to memory of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 5012 wrote to memory of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 5012 wrote to memory of 4932 5012 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 83 PID 4964 wrote to memory of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 4964 wrote to memory of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 4964 wrote to memory of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 4964 wrote to memory of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 4964 wrote to memory of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 4964 wrote to memory of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 4964 wrote to memory of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 4964 wrote to memory of 4860 4964 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 84 PID 4868 wrote to memory of 1744 4868 WScript.exe 85 PID 4868 wrote to memory of 1744 4868 WScript.exe 85 PID 4868 wrote to memory of 1744 4868 WScript.exe 85 PID 1744 wrote to memory of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 1744 wrote to memory of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 1744 wrote to memory of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 1744 wrote to memory of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 1744 wrote to memory of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 1744 wrote to memory of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 1744 wrote to memory of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 1744 wrote to memory of 2476 1744 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 86 PID 4868 wrote to memory of 2464 4868 WScript.exe 87 PID 4868 wrote to memory of 2464 4868 WScript.exe 87 PID 4868 wrote to memory of 2464 4868 WScript.exe 87 PID 2464 wrote to memory of 1120 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 88 PID 2464 wrote to memory of 1120 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 88 PID 2464 wrote to memory of 1120 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 88 PID 2464 wrote to memory of 1120 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 88 PID 2464 wrote to memory of 1120 2464 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 88 PID 4868 wrote to memory of 4100 4868 WScript.exe 92 PID 4868 wrote to memory of 4100 4868 WScript.exe 92 PID 4868 wrote to memory of 4100 4868 WScript.exe 92 PID 4100 wrote to memory of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 4100 wrote to memory of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 4100 wrote to memory of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 4100 wrote to memory of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 4100 wrote to memory of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 4100 wrote to memory of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 4100 wrote to memory of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 4100 wrote to memory of 240 4100 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 93 PID 4868 wrote to memory of 1532 4868 WScript.exe 94 PID 4868 wrote to memory of 1532 4868 WScript.exe 94 PID 4868 wrote to memory of 1532 4868 WScript.exe 94 PID 1532 wrote to memory of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 1532 wrote to memory of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 1532 wrote to memory of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 1532 wrote to memory of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 1532 wrote to memory of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 1532 wrote to memory of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 1532 wrote to memory of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 1532 wrote to memory of 4380 1532 a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe 95 PID 4868 wrote to memory of 3536 4868 WScript.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Local\Temp\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nDSfD.vbs" 02⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4860
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 805⤵
- Program crash
PID:948
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:240
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4380
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3536 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:3672
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4308 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:2284
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2272 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4712
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:416 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1540
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4124
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:3416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 125⤵
- Program crash
PID:2660
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:652 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:3448
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2328 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:3980
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1268 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:2820
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2084 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:3780
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4072
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3332 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:2212
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5016 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4860
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4912 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:228
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 805⤵
- Program crash
PID:5072
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 805⤵
- Program crash
PID:2032
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:3512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 805⤵
- Program crash
PID:1764
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3540 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4996
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 805⤵
- Program crash
PID:4108
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3620 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:1612
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:4448
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵PID:4932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1120 -ip 11201⤵PID:1648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3416 -ip 34161⤵PID:1332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3980 -ip 39801⤵PID:1624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4688 -ip 46881⤵PID:2888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4572 -ip 45721⤵PID:3168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3512 -ip 35121⤵PID:2732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4356 -ip 43561⤵PID:4140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
Filesize
2KB
MD532915ebf0e709bc40254d3ebedffb6ed
SHA198f317e1c252e58b8a21e3a7de96f0e91769908f
SHA256afcc5fefc188663a744b8d4cc395f76b51cf5ab48070709dbfef38bae9463b88
SHA512fdca2cec060267641032e9012faa60d25783797b87a332d4dae1658e49df56fc5a92c5f6723f8ba746e2dda200d7333ae8bc2bde3d82077bc1b90e13de91dd37
-
Filesize
2KB
MD5019d8de83fae02c44629868000872e9f
SHA1f8cb92397ec81d8762529cfc23b09a686463d7da
SHA2560fe2c31b7812aada7aaace2d105694e34eecca2b480d949388c4bb242ed86942
SHA51202febc111ee6f7d8bb6d0aa015683cbf3db2d5e468f52b113033d407dcdb309fa4222d9a09b448ca30c35a414e3d7828c9f467ddcc6283d31f9e0949ada0dfb2
-
Filesize
2KB
MD5aa059277bdc7ee47e9c1ad5c9d6f0e81
SHA1ccf33b2884e0c9aab9c947f0fbd09ed64baff426
SHA2568b087a4deb140d432095e1e2dc1e2161ad51388df718437170108f4b3826a224
SHA5120e4c08b9b50ddd5b4929f9ca93d1105bfdb5232e5649723c0d6bd76d6fb1d9a4c5345bc81085aab083407397bab2abf1e158677096fa01d43a022dba5b5bb741
-
Filesize
2KB
MD5139cd80467603efdc9576c90688dbf91
SHA11b57e4354756d734823c07d511398e08309b1782
SHA25656981480fb250a50527aee5ac9ffc51312cd1f8446a6dd218c20517e521c84c9
SHA512462ecba2b74e343d4ccfd0dd3134908d1d58e68754c2cc5754248204ab8cc400d37788d464bad5c23ded8372f22a5737fe07f66b162a6fd33fce0d8e4c63c57f
-
Filesize
2KB
MD5cec463991ae7d8138995ba98ff82b0d9
SHA1f0b0bcd71658e98cc32469a8b8195a1fe2d919b6
SHA256cf4226cb967a1b3474b4e65139aeaf5761b27ea0f408dce14527e3b6e11276e1
SHA512efcd879abf2a909c834397bd7504b810da274529088b90422bda81f36e01bac873c9926f69d0d0edf701f3e5a03d17a564abcc164d0d29b667c35c349533eb81
-
Filesize
2KB
MD53aed3edcd54acd1762713b19bbd3d0e9
SHA1f1bda063f8e9ca53b4d62f22158b4b28f3859d06
SHA2563e6cb80558b16e279369579780f8a55ff79a045fd23148a771806da009bfc96f
SHA51248de11b8a6441a9f6f52cd243a1298beb8e39d2bcd97a9ad4c4536267b493ec4ee9c7d04750f72291e63428565d2169b46b98adab084046126eb03222888ea78
-
Filesize
220B
MD57665a54f8c588928a9858e293a55e1bd
SHA197903e2edafcb1ce04435bc83bfe16bcf38e64a2
SHA256c7fb59485d651db7826bcdc73036978b10007faa70f28010cd0125270d759bc0
SHA512f7f24b1f150fe43322232f93d414a19bd52f592cdfcaac2a07c1d18cdc739dd916035581827e9804aeff782edbb59f4ad9edcd85aff102ef35ce647c5da29cb3
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093
-
C:\Users\Admin\AppData\Roaming\Windows\a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80.exe
Filesize1.5MB
MD5fd3675162967550d15055b7e9ddccc25
SHA1b0dcd0b5ebb171635dacb69951df5f85f2c47e61
SHA256a9d88956642da3735ccf4ee6b9883a87a8b04fd816985bee7da086f7c68c6a80
SHA51206fd601f426827ea87521a0b3f9d581fccad3047d1eca8befc8173594b47ccb65d59a7b416026b88b329a24892637f650c81218886f75ea416d086a4e5825093