c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Size

396KB
MD5

13b04d60364e80b44fdf4f601d3d1ff0
SHA1

760f447bfcf0ef155a0e79a14b6437dc2ddc19dc
SHA256

c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8
SHA512

adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e
SSDEEP

3072:uo8L5tpV+CSA1AAPoCpxW5ATBfUNjpS1yvkTVC9FieYTTLprx/m3qT4S826guKq5:ytpvoCpcNQvjQdiq9Etx1fa

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe

Adds policy Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	system.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe

Executes dropped EXE 3 IoCs

pid	Process
788	Global.exe
1672	svchost.exe
1936	system.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	system.exe

Loads dropped DLL 6 IoCs

pid	Process
1808	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
1808	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
788	Global.exe
788	Global.exe
1672	svchost.exe
1672	svchost.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	svchost.exe

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Global.exe
File opened for modification	D:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File created	D:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\svchost.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Default.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\Global.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	system.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Global.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\WINDOWS\system\KEYBOARD.exe	system.exe
File created	C:\WINDOWS\Help\microsoft.hlp	system.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File opened for modification	C:\WINDOWS\Fonts\tskmgr.exe	Global.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File created	C:\WINDOWS\Media\rndll32.pif	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	svchost.exe
File created	C:\WINDOWS\Help\microsoft.hlp	svchost.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	svchost.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	svchost.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	svchost.exe
File opened for modification	C:\WINDOWS\Fonts\wav.wav	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\pchealth\Global.exe	Global.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	system.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\Media\rndll32.pif	Global.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	system.exe
File opened for modification	C:\WINDOWS\system\KEYBOARD.exe	Global.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\WINDOWS\Fonts\wav.wav	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\Help\microsoft.hlp	Global.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	svchost.exe
File created	C:\WINDOWS\Media\rndll32.pif	svchost.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\Help\microsoft.hlp	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File opened for modification	C:\WINDOWS\Fonts\Fonts.exe	Global.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\Media\rndll32.pif	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	Global.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 16 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\AutoEndTasks = "1"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\AutoEndTasks = "1"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\AutoEndTasks = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\AutoEndTasks = "1"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop	Global.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop	svchost.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1808	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
788	Global.exe
1672	svchost.exe
1936	system.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 788	1808	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe	28
PID 1808 wrote to memory of 788	1808	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe	28
PID 1808 wrote to memory of 788	1808	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe	28
PID 1808 wrote to memory of 788	1808	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe	28
PID 788 wrote to memory of 1672	788	Global.exe	29
PID 788 wrote to memory of 1672	788	Global.exe	29
PID 788 wrote to memory of 1672	788	Global.exe	29
PID 788 wrote to memory of 1672	788	Global.exe	29
PID 1672 wrote to memory of 1936	1672	svchost.exe	30
PID 1672 wrote to memory of 1936	1672	svchost.exe	30
PID 1672 wrote to memory of 1936	1672	svchost.exe	30
PID 1672 wrote to memory of 1936	1672	svchost.exe	30

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe

C:\Users\Admin\AppData\Local\Temp\c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe
"C:\Users\Admin\AppData\Local\Temp\c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8.exe"
1⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1808
- C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
  "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"
  2⤵
  - Modifies system executable filetype association
  - Adds policy Run key to start application
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:788
- - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
    "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
    3⤵
    - Modifies system executable filetype association
    - Adds policy Run key to start application
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Sets file execution options in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1672
  - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
      "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
      4⤵
      Modifies system executable filetype association
      Adds policy Run key to start application
      Drops file in Drivers directory
      Executes dropped EXE
      Sets file execution options in registry
      Adds Run key to start application
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Control Panel
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\Cursors\Boom.vbs

Filesize
4KB

MD5
e72c9789ac7232e3b36766eb2a8f8da6

SHA1
a37a9f18e227d103bb4e1ecac0834c2cdf99d112

SHA256
7b03603cbc56105470b4bfb250d0ef18fa93126475e2872d63dc52c35866d2a9

SHA512
666a2592c5303a1f42a8bbddc2a8e5d3289c612be7401e3530a3afd70d8243276645bad00a82f3254674307583dabae49c16204e790200a34b0707813265f6d0

Download Submit
C:\WINDOWS\Fonts\Fonts.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\Fonts\tskmgr.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\Help\microsoft.hlp

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\Media\rndll32.pif

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\dllcache\Default.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\dllcache\Global.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\dllcache\autorun.inf

Filesize
118B

MD5
4eb846be89a1520b7d0181f0736f9a96

SHA1
869a156f9bd21b06d896cafa66db628f7b5e9679

SHA256
5bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8

SHA512
ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c

Download Submit
C:\WINDOWS\SysWOW64\dllcache\autorun.inf

Filesize
118B

MD5
4eb846be89a1520b7d0181f0736f9a96

SHA1
869a156f9bd21b06d896cafa66db628f7b5e9679

SHA256
5bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8

SHA512
ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c

Download Submit
C:\WINDOWS\SysWOW64\dllcache\autorun.inf

Filesize
118B

MD5
4eb846be89a1520b7d0181f0736f9a96

SHA1
869a156f9bd21b06d896cafa66db628f7b5e9679

SHA256
5bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8

SHA512
ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c

Download Submit
C:\WINDOWS\SysWOW64\dllcache\svchost.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\pchealth\Global.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\WINDOWS\system\KEYBOARD.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
C:\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
396KB

MD5
13b04d60364e80b44fdf4f601d3d1ff0

SHA1
760f447bfcf0ef155a0e79a14b6437dc2ddc19dc

SHA256
c764a3065e8546c30dffa2d33cadf92202b60c2594e676db3b5e1ddd9ed62ee8

SHA512
adc50b85fcfd3f575f73e1e33d09275dc06b5997ce557c1a4fef5d70599b3c2ea21041392252aec3878b9ed432e7a99619ec2cbf010bb2999d84821e3cd7f78e

Download Submit
memory/788-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/788-92-0x00000000038D0000-0x000000000393C000-memory.dmp

Filesize
432KB

Download
memory/788-93-0x0000000003A10000-0x0000000003A7C000-memory.dmp

Filesize
432KB

Download
memory/1672-94-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1672-104-0x00000000053C0000-0x000000000542C000-memory.dmp

Filesize
432KB

Download
memory/1672-105-0x00000000053C0000-0x000000000542C000-memory.dmp

Filesize
432KB

Download
memory/1808-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1808-56-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1808-57-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1808-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1936-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads