Overview
overview
7Static
static
7b.js
windows7-x64
1b.js
windows10-2004-x64
1d.js
windows7-x64
1d.js
windows10-2004-x64
1d.dll
windows7-x64
7d.dll
windows10-2004-x64
7g.js
windows7-x64
1g.js
windows10-2004-x64
1ka6ber.exe
windows7-x64
7ka6ber.exe
windows10-2004-x64
7msn.dll
windows7-x64
1msn.dll
windows10-2004-x64
1norton.exe
windows7-x64
1norton.exe
windows10-2004-x64
1of.exe
windows7-x64
7of.exe
windows10-2004-x64
7ps2m.exe
windows7-x64
7ps2m.exe
windows10-2004-x64
7scans.js
windows7-x64
1scans.js
windows10-2004-x64
1securaq.exe
windows7-x64
1securaq.exe
windows10-2004-x64
1test.vbs
windows7-x64
1test.vbs
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 20:40
Behavioral task
behavioral1
Sample
b.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
b.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
d.js
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
d.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
d.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
d.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
g.js
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
g.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral9
Sample
ka6ber.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
ka6ber.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
msn.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
msn.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
norton.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
norton.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
of.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
of.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
ps2m.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
ps2m.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
scans.js
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
scans.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
securaq.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
securaq.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral23
Sample
test.vbs
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
test.vbs
Resource
win10v2004-20231222-en
General
-
Target
ka6ber.exe
-
Size
561KB
-
MD5
b3027dffa9bbac7e1999223cf737200b
-
SHA1
04f7be390d135405b5d1925b205c0c871301b522
-
SHA256
79f6b4271df1773fff40117e4d3b5dcee71e2ec149d749541d0160e2873b88eb
-
SHA512
4bbc090301c821f3fa8f008d4e1262a80b00b0f36fdb365bb76b78f4d679789cc4b30dcb8b4008730492312d5d93eb55de44cbae5bcb2368c63f2373613c6109
-
SSDEEP
12288:GP7CFdIekSytTtTcZ5Oz6Y147em6cZLxd9f0OimJfL:u7CIiCtTcPV7lL1jxlL
Malware Config
Signatures
-
resource yara_rule behavioral9/memory/2928-0-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-211-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-225-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-226-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-244-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-258-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-272-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-291-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-304-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-318-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-336-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-350-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-364-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-383-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-396-0x0000000000400000-0x000000000059A000-memory.dmp upx behavioral9/memory/2928-410-0x0000000000400000-0x000000000059A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 49 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msennger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ka6ber.exe" regedit.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 49 IoCs
pid Process 1044 regedit.exe 768 regedit.exe 2076 regedit.exe 1552 regedit.exe 2124 regedit.exe 1232 regedit.exe 2104 regedit.exe 2372 regedit.exe 2428 regedit.exe 1868 regedit.exe 3060 regedit.exe 2320 regedit.exe 1656 regedit.exe 1580 regedit.exe 2060 regedit.exe 1252 regedit.exe 2012 regedit.exe 3032 regedit.exe 1980 regedit.exe 2248 regedit.exe 2516 regedit.exe 1356 regedit.exe 1108 regedit.exe 1568 regedit.exe 2592 regedit.exe 2732 regedit.exe 2160 regedit.exe 2428 regedit.exe 1716 regedit.exe 2240 regedit.exe 1740 regedit.exe 1552 regedit.exe 2972 regedit.exe 1668 regedit.exe 1676 regedit.exe 772 regedit.exe 1056 regedit.exe 996 regedit.exe 924 regedit.exe 2868 regedit.exe 2316 regedit.exe 2852 regedit.exe 2892 regedit.exe 2968 regedit.exe 2720 regedit.exe 2492 regedit.exe 2836 regedit.exe 2060 regedit.exe 584 regedit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2928 ka6ber.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2928 ka6ber.exe 2928 ka6ber.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2172 2928 ka6ber.exe 28 PID 2928 wrote to memory of 2172 2928 ka6ber.exe 28 PID 2928 wrote to memory of 2172 2928 ka6ber.exe 28 PID 2928 wrote to memory of 2172 2928 ka6ber.exe 28 PID 2928 wrote to memory of 2076 2928 ka6ber.exe 29 PID 2928 wrote to memory of 2076 2928 ka6ber.exe 29 PID 2928 wrote to memory of 2076 2928 ka6ber.exe 29 PID 2928 wrote to memory of 2076 2928 ka6ber.exe 29 PID 2928 wrote to memory of 2968 2928 ka6ber.exe 30 PID 2928 wrote to memory of 2968 2928 ka6ber.exe 30 PID 2928 wrote to memory of 2968 2928 ka6ber.exe 30 PID 2928 wrote to memory of 2968 2928 ka6ber.exe 30 PID 2928 wrote to memory of 3032 2928 ka6ber.exe 31 PID 2928 wrote to memory of 3032 2928 ka6ber.exe 31 PID 2928 wrote to memory of 3032 2928 ka6ber.exe 31 PID 2928 wrote to memory of 3032 2928 ka6ber.exe 31 PID 2928 wrote to memory of 768 2928 ka6ber.exe 32 PID 2928 wrote to memory of 768 2928 ka6ber.exe 32 PID 2928 wrote to memory of 768 2928 ka6ber.exe 32 PID 2928 wrote to memory of 768 2928 ka6ber.exe 32 PID 2928 wrote to memory of 584 2928 ka6ber.exe 33 PID 2928 wrote to memory of 584 2928 ka6ber.exe 33 PID 2928 wrote to memory of 584 2928 ka6ber.exe 33 PID 2928 wrote to memory of 584 2928 ka6ber.exe 33 PID 2928 wrote to memory of 1868 2928 ka6ber.exe 34 PID 2928 wrote to memory of 1868 2928 ka6ber.exe 34 PID 2928 wrote to memory of 1868 2928 ka6ber.exe 34 PID 2928 wrote to memory of 1868 2928 ka6ber.exe 34 PID 2928 wrote to memory of 1980 2928 ka6ber.exe 35 PID 2928 wrote to memory of 1980 2928 ka6ber.exe 35 PID 2928 wrote to memory of 1980 2928 ka6ber.exe 35 PID 2928 wrote to memory of 1980 2928 ka6ber.exe 35 PID 2928 wrote to memory of 2060 2928 ka6ber.exe 36 PID 2928 wrote to memory of 2060 2928 ka6ber.exe 36 PID 2928 wrote to memory of 2060 2928 ka6ber.exe 36 PID 2928 wrote to memory of 2060 2928 ka6ber.exe 36 PID 2928 wrote to memory of 2248 2928 ka6ber.exe 37 PID 2928 wrote to memory of 2248 2928 ka6ber.exe 37 PID 2928 wrote to memory of 2248 2928 ka6ber.exe 37 PID 2928 wrote to memory of 2248 2928 ka6ber.exe 37 PID 2928 wrote to memory of 1552 2928 ka6ber.exe 38 PID 2928 wrote to memory of 1552 2928 ka6ber.exe 38 PID 2928 wrote to memory of 1552 2928 ka6ber.exe 38 PID 2928 wrote to memory of 1552 2928 ka6ber.exe 38 PID 2928 wrote to memory of 1656 2928 ka6ber.exe 39 PID 2928 wrote to memory of 1656 2928 ka6ber.exe 39 PID 2928 wrote to memory of 1656 2928 ka6ber.exe 39 PID 2928 wrote to memory of 1656 2928 ka6ber.exe 39 PID 2928 wrote to memory of 2160 2928 ka6ber.exe 40 PID 2928 wrote to memory of 2160 2928 ka6ber.exe 40 PID 2928 wrote to memory of 2160 2928 ka6ber.exe 40 PID 2928 wrote to memory of 2160 2928 ka6ber.exe 40 PID 2928 wrote to memory of 2428 2928 ka6ber.exe 41 PID 2928 wrote to memory of 2428 2928 ka6ber.exe 41 PID 2928 wrote to memory of 2428 2928 ka6ber.exe 41 PID 2928 wrote to memory of 2428 2928 ka6ber.exe 41 PID 2928 wrote to memory of 1252 2928 ka6ber.exe 42 PID 2928 wrote to memory of 1252 2928 ka6ber.exe 42 PID 2928 wrote to memory of 1252 2928 ka6ber.exe 42 PID 2928 wrote to memory of 1252 2928 ka6ber.exe 42 PID 2928 wrote to memory of 996 2928 ka6ber.exe 43 PID 2928 wrote to memory of 996 2928 ka6ber.exe 43 PID 2928 wrote to memory of 996 2928 ka6ber.exe 43 PID 2928 wrote to memory of 996 2928 ka6ber.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ka6ber.exe"C:\Users\Admin\AppData\Local\Temp\ka6ber.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\norton.exe"C:\Users\Admin\AppData\Local\Temp\norton.exe" /n /fh mirc2⤵PID:2172
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2076
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2968
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:3032
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:768
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:584
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1868
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1980
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2060
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2248
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1552
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1656
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2160
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2428
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1252
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:996
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1716
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2516
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2240
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2124
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2868
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2720
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1356
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2732
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2592
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2492
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1232
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2972
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:3060
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2316
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2852
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2320
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2836
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2012
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1668
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1580
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2104
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1740
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2892
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1676
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:772
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1108
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1568
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:924
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2060
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2372
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1552
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1044
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1056
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s org.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ddd6182018e46e7014637d06accfd629
SHA1a44075c41515eaea3e0d551642e113a75640fb6f
SHA256f9eb4875406e86f56447510b6b48c90ced438ff6b0ccd928d0703b1c7cdf85d2
SHA5127ad1d7559a9496e738f70edb0c4af7bd45b893ace7c18f12e7c9dfb7944462255f40654640aebfcfb1f5930d24d8c85d041d44600b09a40e1bd89932a3acad94
-
Filesize
2KB
MD5a8706dbcb096323e00a0c140a70ab6fe
SHA1a8aea12473dd4890f41ef5038b534b043ec31c49
SHA2569168cfe12ff35d2ebe2443b06e0794f8ecd203deeb1bc5f7641f5550d5e806da
SHA512ae6743e0b0e37b7040a2a63f58cfadad7ffa061ca9b0bb93acc105cec0791433620fdf8ec04da068b731147893b51ba88d589a594fce39b1f9f4137965b0476e
-
Filesize
2KB
MD5c42c6aec3a7e77dc835762e07d1f63a6
SHA12d05adc3c157ef34dbf2d1e974dd53a01d77855b
SHA256602b3880c21ee9f8a30de1ff88aa8155884ca8b338bf9fa8278b1bb1a85d5277
SHA51267e85b0a8ec1816862a0defbc9b86adab77627d25eca86e273b575851727cfbf12f88e71ea860c33449354657a3c64b9134fb7eeeafe9e58bbd64054b0ba0e58
-
Filesize
2KB
MD5b748fdba5fc832c0f5285bafae6ba415
SHA16b02bc48b0612a6d1197e6b0e5c14a19f6500458
SHA25693372385f92c64c14c6464ed35fd47bc44ac2073679ce9eb8d34e15fe5f93174
SHA512840ec69f286334017e5bf999572ac1da6191b37489b980f4e86bfa9d43301746e74a3609b38f5cf2e106757958f94a76bf6364b8bbdf15deba50d3b445044325
-
Filesize
143B
MD50953624657209297b2ce4f1ccd89be44
SHA108e83ccfd0c164774a7b8ed4d4bf023eb39d5b6c
SHA256d3ec8c767a5e5be2c2f53b6f8e9080b42e38524e4c746b058ad2ef2e04c07ff5
SHA512b82d843f46f25ecbfa21826b3dfac67735d78fcd704cc807d3878ac11ea7d3f90d061ab23d8bda74d734d5bca11171f6c201e38a66c897d6a092dd548a73c988
-
Filesize
286B
MD5b07256e23013dc4555d2aceb8b7caf0f
SHA19d21bdada1e93d3b29343fd341675c5466721fdd
SHA25685a61cec94852847df76f9d88410372d19a6d3cb2395a16324f046f6e0f6e5ca
SHA512ee2d6d7022658726119e9d30811fd59c62748a860b89c28a3bf9a4250527558e06d4e4850fc1ef2aba35afff3fb8b05459d5a402b93f6ef509de88a5f39d28d5
-
Filesize
78B
MD58486f938bd4b5f19b99deaa3adf11cc6
SHA1f2e3d4d6c079aca6e6c65321746f5c3821e61c5b
SHA256f787297d7fe98a19a173dde83d5c5379629162a587304be466f1bb699362aa1e
SHA5129ae5f48301e18b2d506616d351fe81dc94d9bb75bd7f7b98b765c8f591627e68ae474eecf2611e61a355dcacbebb29e0074731d4917753f3de9c2c29d99e17a2