54bb19d9608d11a4849f932e0a4fd54055cdbeffe6d99625597657d14d0cbc29

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ka6ber.exe
Size

561KB
MD5

b3027dffa9bbac7e1999223cf737200b
SHA1

04f7be390d135405b5d1925b205c0c871301b522
SHA256

79f6b4271df1773fff40117e4d3b5dcee71e2ec149d749541d0160e2873b88eb
SHA512

4bbc090301c821f3fa8f008d4e1262a80b00b0f36fdb365bb76b78f4d679789cc4b30dcb8b4008730492312d5d93eb55de44cbae5bcb2368c63f2373613c6109
SSDEEP

12288:GP7CFdIekSytTtTcZ5Oz6Y147em6cZLxd9f0OimJfL:u7CIiCtTcPV7lL1jxlL

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	ka6ber.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/memory/2312-0-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-208-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-223-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-236-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-254-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-269-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-288-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-301-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-316-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-329-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-348-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-361-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-376-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-389-0x0000000000400000-0x000000000059A000-memory.dmp	upx
behavioral10/memory/2312-408-0x0000000000400000-0x000000000059A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe"	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 49 IoCs

pid	Process
4876	regedit.exe
4372	regedit.exe
2404	regedit.exe
4296	regedit.exe
2608	regedit.exe
4864	regedit.exe
5088	regedit.exe
4952	regedit.exe
636	regedit.exe
4776	regedit.exe
896	regedit.exe
2344	regedit.exe
4284	regedit.exe
2172	regedit.exe
4844	regedit.exe
1480	regedit.exe
5028	regedit.exe
984	regedit.exe
1052	regedit.exe
4888	regedit.exe
2132	regedit.exe
4048	regedit.exe
1700	regedit.exe
4620	regedit.exe
368	regedit.exe
116	regedit.exe
1184	regedit.exe
4384	regedit.exe
3444	regedit.exe
4696	regedit.exe
1844	regedit.exe
4020	regedit.exe
4852	regedit.exe
1208	regedit.exe
4296	regedit.exe
5028	regedit.exe
5080	regedit.exe
3036	regedit.exe
716	regedit.exe
720	regedit.exe
2140	regedit.exe
5012	regedit.exe
4284	regedit.exe
4592	regedit.exe
2344	regedit.exe
4828	regedit.exe
880	regedit.exe
1180	regedit.exe
1460	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2312	ka6ber.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2312	ka6ber.exe
2312	ka6ber.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 804	2312	ka6ber.exe	84
PID 2312 wrote to memory of 804	2312	ka6ber.exe	84
PID 2312 wrote to memory of 804	2312	ka6ber.exe	84
PID 2312 wrote to memory of 1812	2312	ka6ber.exe	85
PID 2312 wrote to memory of 1812	2312	ka6ber.exe	85
PID 2312 wrote to memory of 1812	2312	ka6ber.exe	85
PID 2312 wrote to memory of 2720	2312	ka6ber.exe	88
PID 2312 wrote to memory of 2720	2312	ka6ber.exe	88
PID 2312 wrote to memory of 2720	2312	ka6ber.exe	88
PID 2312 wrote to memory of 4192	2312	ka6ber.exe	91
PID 2312 wrote to memory of 4192	2312	ka6ber.exe	91
PID 2312 wrote to memory of 4192	2312	ka6ber.exe	91
PID 2312 wrote to memory of 4828	2312	ka6ber.exe	92
PID 2312 wrote to memory of 4828	2312	ka6ber.exe	92
PID 2312 wrote to memory of 4828	2312	ka6ber.exe	92
PID 2312 wrote to memory of 3616	2312	ka6ber.exe	93
PID 2312 wrote to memory of 3616	2312	ka6ber.exe	93
PID 2312 wrote to memory of 3616	2312	ka6ber.exe	93
PID 2312 wrote to memory of 3108	2312	ka6ber.exe	94
PID 2312 wrote to memory of 3108	2312	ka6ber.exe	94
PID 2312 wrote to memory of 3108	2312	ka6ber.exe	94
PID 2312 wrote to memory of 4620	2312	ka6ber.exe	96
PID 2312 wrote to memory of 4620	2312	ka6ber.exe	96
PID 2312 wrote to memory of 4620	2312	ka6ber.exe	96
PID 2312 wrote to memory of 5028	2312	ka6ber.exe	97
PID 2312 wrote to memory of 5028	2312	ka6ber.exe	97
PID 2312 wrote to memory of 5028	2312	ka6ber.exe	97
PID 2312 wrote to memory of 4976	2312	ka6ber.exe	98
PID 2312 wrote to memory of 4976	2312	ka6ber.exe	98
PID 2312 wrote to memory of 4976	2312	ka6ber.exe	98
PID 2312 wrote to memory of 4680	2312	ka6ber.exe	99
PID 2312 wrote to memory of 4680	2312	ka6ber.exe	99
PID 2312 wrote to memory of 4680	2312	ka6ber.exe	99
PID 2312 wrote to memory of 2020	2312	ka6ber.exe	102
PID 2312 wrote to memory of 2020	2312	ka6ber.exe	102
PID 2312 wrote to memory of 2020	2312	ka6ber.exe	102
PID 2312 wrote to memory of 720	2312	ka6ber.exe	103
PID 2312 wrote to memory of 720	2312	ka6ber.exe	103
PID 2312 wrote to memory of 720	2312	ka6ber.exe	103
PID 2312 wrote to memory of 4796	2312	ka6ber.exe	104
PID 2312 wrote to memory of 4796	2312	ka6ber.exe	104
PID 2312 wrote to memory of 4796	2312	ka6ber.exe	104
PID 2312 wrote to memory of 4604	2312	ka6ber.exe	105
PID 2312 wrote to memory of 4604	2312	ka6ber.exe	105
PID 2312 wrote to memory of 4604	2312	ka6ber.exe	105
PID 2312 wrote to memory of 1984	2312	ka6ber.exe	106
PID 2312 wrote to memory of 1984	2312	ka6ber.exe	106
PID 2312 wrote to memory of 1984	2312	ka6ber.exe	106
PID 2312 wrote to memory of 116	2312	ka6ber.exe	107
PID 2312 wrote to memory of 116	2312	ka6ber.exe	107
PID 2312 wrote to memory of 116	2312	ka6ber.exe	107
PID 2312 wrote to memory of 4832	2312	ka6ber.exe	108
PID 2312 wrote to memory of 4832	2312	ka6ber.exe	108
PID 2312 wrote to memory of 4832	2312	ka6ber.exe	108
PID 2312 wrote to memory of 1396	2312	ka6ber.exe	109
PID 2312 wrote to memory of 1396	2312	ka6ber.exe	109
PID 2312 wrote to memory of 1396	2312	ka6ber.exe	109
PID 2312 wrote to memory of 1040	2312	ka6ber.exe	110
PID 2312 wrote to memory of 1040	2312	ka6ber.exe	110
PID 2312 wrote to memory of 1040	2312	ka6ber.exe	110
PID 2312 wrote to memory of 2344	2312	ka6ber.exe	111
PID 2312 wrote to memory of 2344	2312	ka6ber.exe	111
PID 2312 wrote to memory of 2344	2312	ka6ber.exe	111
PID 2312 wrote to memory of 3996	2312	ka6ber.exe	112

C:\Users\Admin\AppData\Local\Temp\ka6ber.exe
"C:\Users\Admin\AppData\Local\Temp\ka6ber.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4192
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3616
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3108
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4620
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2020
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:720
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4604
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1984
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:116
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1040
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3996
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1300
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4952
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:872
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3768
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3420
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4768
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:400
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:772
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3296
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2524
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4660
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4020
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:672
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1668
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4696
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:456
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3288
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:5036
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4776
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3864
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2196
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3544
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4612
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2800
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3604
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4412
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1148
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4288
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:636
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1100
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4296
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4520
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1528
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:212
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:896
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4636
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:984
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4248
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3900
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4524
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2268
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:880
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1380
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4676
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:5092
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4008
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1884
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3444
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3916
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3008
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4372
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4888
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4812
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3540
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2156
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:676
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3676
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:716
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4036
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4540
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4296
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3304
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2852
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3424
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1808
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:964
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:448
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:8
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1376
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:220
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4748
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4800
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:5000
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3632
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:368
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3800
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1900
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:5088
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:5116
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1048
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4392
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2052
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4864
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4776
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:5008
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4048
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:740
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1760
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4892
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:1180
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s org.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\norton.exe
  "C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc
  2⤵
  PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\o1o2o3o4

Filesize
2KB

MD5
d346f874d4c7ca52dcf291edd76f4500

SHA1
fed39d05fd41e372d65820c58b2b4f84901fda91

SHA256
f1e82e7fff6affc3a29f0dca605bfafa8eb05117a7ca098d61b8b29ff53a66cb

SHA512
25e5eb26268faf7d91e65fe7eab89d4b0d18bb21766b398eb7bc53641543cd5599cb1ddd36a215abfb6e7d0861c9a808551e4163fbf6ab20bf98c6a664a7f539

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1o2o3o4

Filesize
2KB

MD5
c42c6aec3a7e77dc835762e07d1f63a6

SHA1
2d05adc3c157ef34dbf2d1e974dd53a01d77855b

SHA256
602b3880c21ee9f8a30de1ff88aa8155884ca8b338bf9fa8278b1bb1a85d5277

SHA512
67e85b0a8ec1816862a0defbc9b86adab77627d25eca86e273b575851727cfbf12f88e71ea860c33449354657a3c64b9134fb7eeeafe9e58bbd64054b0ba0e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1o2o3o4

Filesize
2KB

MD5
b748fdba5fc832c0f5285bafae6ba415

SHA1
6b02bc48b0612a6d1197e6b0e5c14a19f6500458

SHA256
93372385f92c64c14c6464ed35fd47bc44ac2073679ce9eb8d34e15fe5f93174

SHA512
840ec69f286334017e5bf999572ac1da6191b37489b980f4e86bfa9d43301746e74a3609b38f5cf2e106757958f94a76bf6364b8bbdf15deba50d3b445044325

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1o2o3o4

Filesize
2KB

MD5
ddd6182018e46e7014637d06accfd629

SHA1
a44075c41515eaea3e0d551642e113a75640fb6f

SHA256
f9eb4875406e86f56447510b6b48c90ced438ff6b0ccd928d0703b1c7cdf85d2

SHA512
7ad1d7559a9496e738f70edb0c4af7bd45b893ace7c18f12e7c9dfb7944462255f40654640aebfcfb1f5930d24d8c85d041d44600b09a40e1bd89932a3acad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\org.reg

Filesize
143B

MD5
0953624657209297b2ce4f1ccd89be44

SHA1
08e83ccfd0c164774a7b8ed4d4bf023eb39d5b6c

SHA256
d3ec8c767a5e5be2c2f53b6f8e9080b42e38524e4c746b058ad2ef2e04c07ff5

SHA512
b82d843f46f25ecbfa21826b3dfac67735d78fcd704cc807d3878ac11ea7d3f90d061ab23d8bda74d734d5bca11171f6c201e38a66c897d6a092dd548a73c988

Download Submit
C:\Users\Admin\AppData\Local\Temp\org.reg

Filesize
286B

MD5
b07256e23013dc4555d2aceb8b7caf0f

SHA1
9d21bdada1e93d3b29343fd341675c5466721fdd

SHA256
85a61cec94852847df76f9d88410372d19a6d3cb2395a16324f046f6e0f6e5ca

SHA512
ee2d6d7022658726119e9d30811fd59c62748a860b89c28a3bf9a4250527558e06d4e4850fc1ef2aba35afff3fb8b05459d5a402b93f6ef509de88a5f39d28d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\org.reg

Filesize
10B

MD5
c756b8eac93de58d57105a6c35adb50f

SHA1
b18d370dabc3c5b9e82d74f19bbc101a1be009f2

SHA256
853448e59c9bb7599fa8a5ff03a0b608781a02d41f58576f1192e0c48cb8d635

SHA512
09fbfe4a17b1fb6167c6889e5a0ab41cfef9e1372796e69c2558a50a002d9c1e2b0d81d45d7f96be9d02a8025d0ae276ecc01f135e9ccb04c301adcffd67d263

Download Submit
C:\Users\Admin\AppData\Local\Temp\org.reg

Filesize
78B

MD5
8486f938bd4b5f19b99deaa3adf11cc6

SHA1
f2e3d4d6c079aca6e6c65321746f5c3821e61c5b

SHA256
f787297d7fe98a19a173dde83d5c5379629162a587304be466f1bb699362aa1e

SHA512
9ae5f48301e18b2d506616d351fe81dc94d9bb75bd7f7b98b765c8f591627e68ae474eecf2611e61a355dcacbebb29e0074731d4917753f3de9c2c29d99e17a2

Download Submit
memory/2312-288-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-348-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-0-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-254-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-208-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-269-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-223-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-316-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-236-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-329-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-301-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-361-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-376-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-389-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2312-408-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads