44ae9caecde68c01b98de1d478ab53acd4a7641eb26ac5759962cdc7dbec88a0

Analysis

max time kernel
206s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.exe
Size

1.3MB
MD5

bfdaf3031c06e227a17383a3e8676d73
SHA1

aa56d3c584b3af18236b2c8b27bc6b61b3d4e739
SHA256

44ae9caecde68c01b98de1d478ab53acd4a7641eb26ac5759962cdc7dbec88a0
SHA512

6628cccae40ff8c52f6ef2f9e367cfd3517d62171376b42a8a69023ab435532481c66b9d4a8d93d21abfcc061e3241c0f15f0cff61d88e8640c92c9955fbd1b4
SSDEEP

12288:k+ouNhdaZdBudjBvAw1Pm/w8YSMflQjxjhIq7o5QKL5yIAhWFB/e9FgMJAIJrKHD:NlVvL1mGQjBy6eNoW3iFgMJAIU

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000670ac89a2f35da0119de9b623335da012e4e0ee37763da0114000000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "4"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	notepad.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2648	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3068	client.exe
2648	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2692	unregmp2.exe
Token: SeCreatePagefilePrivilege	2692	unregmp2.exe
Token: SeCreateGlobalPrivilege	13408	dwm.exe
Token: SeChangeNotifyPrivilege	13408	dwm.exe
Token: 33	13408	dwm.exe
Token: SeIncBasePriorityPrivilege	13408	dwm.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2648	vlc.exe
2648	vlc.exe
2648	vlc.exe
2648	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2648	vlc.exe
2648	vlc.exe
2648	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2648	vlc.exe
5040	notepad.exe
5040	notepad.exe
5040	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 1436	4848	wmplayer.exe	95
PID 4848 wrote to memory of 1436	4848	wmplayer.exe	95
PID 4848 wrote to memory of 1436	4848	wmplayer.exe	95
PID 4848 wrote to memory of 4536	4848	wmplayer.exe	96
PID 4848 wrote to memory of 4536	4848	wmplayer.exe	96
PID 4848 wrote to memory of 4536	4848	wmplayer.exe	96
PID 4536 wrote to memory of 2692	4536	unregmp2.exe	97
PID 4536 wrote to memory of 2692	4536	unregmp2.exe	97
PID 4692 wrote to memory of 5040	4692	cmd.exe	108
PID 4692 wrote to memory of 5040	4692	cmd.exe	108
PID 4548 wrote to memory of 2992	4548	cmd.exe	113
PID 4548 wrote to memory of 2992	4548	cmd.exe	113
PID 4548 wrote to memory of 1920	4548	cmd.exe	119
PID 4548 wrote to memory of 1920	4548	cmd.exe	119
PID 4548 wrote to memory of 1908	4548	cmd.exe	117
PID 4548 wrote to memory of 1908	4548	cmd.exe	117
PID 4548 wrote to memory of 2076	4548	cmd.exe	116
PID 4548 wrote to memory of 2076	4548	cmd.exe	116
PID 4548 wrote to memory of 4560	4548	cmd.exe	121
PID 4548 wrote to memory of 4560	4548	cmd.exe	121
PID 4548 wrote to memory of 2720	4548	cmd.exe	440
PID 4548 wrote to memory of 2720	4548	cmd.exe	440
PID 4548 wrote to memory of 1216	4548	cmd.exe	439
PID 4548 wrote to memory of 1216	4548	cmd.exe	439
PID 4548 wrote to memory of 5052	4548	cmd.exe	438
PID 4548 wrote to memory of 5052	4548	cmd.exe	438
PID 4548 wrote to memory of 2268	4548	cmd.exe	436
PID 4548 wrote to memory of 2268	4548	cmd.exe	436
PID 4548 wrote to memory of 1160	4548	cmd.exe	434
PID 4548 wrote to memory of 1160	4548	cmd.exe	434
PID 4548 wrote to memory of 3140	4548	cmd.exe	433
PID 4548 wrote to memory of 3140	4548	cmd.exe	433
PID 4548 wrote to memory of 2176	4548	cmd.exe	123
PID 4548 wrote to memory of 2176	4548	cmd.exe	123
PID 4548 wrote to memory of 4208	4548	cmd.exe	122
PID 4548 wrote to memory of 4208	4548	cmd.exe	122
PID 4548 wrote to memory of 4864	4548	cmd.exe	432
PID 4548 wrote to memory of 4864	4548	cmd.exe	432
PID 4548 wrote to memory of 3184	4548	cmd.exe	431
PID 4548 wrote to memory of 3184	4548	cmd.exe	431
PID 4548 wrote to memory of 1236	4548	cmd.exe	430
PID 4548 wrote to memory of 1236	4548	cmd.exe	430
PID 4548 wrote to memory of 3524	4548	cmd.exe	429
PID 4548 wrote to memory of 3524	4548	cmd.exe	429
PID 4548 wrote to memory of 3432	4548	cmd.exe	428
PID 4548 wrote to memory of 3432	4548	cmd.exe	428
PID 4548 wrote to memory of 3232	4548	cmd.exe	427
PID 4548 wrote to memory of 3232	4548	cmd.exe	427
PID 4548 wrote to memory of 4440	4548	cmd.exe	426
PID 4548 wrote to memory of 4440	4548	cmd.exe	426
PID 4548 wrote to memory of 4320	4548	cmd.exe	425
PID 4548 wrote to memory of 4320	4548	cmd.exe	425
PID 4548 wrote to memory of 3836	4548	cmd.exe	423
PID 4548 wrote to memory of 3836	4548	cmd.exe	423
PID 4548 wrote to memory of 4688	4548	cmd.exe	422
PID 4548 wrote to memory of 4688	4548	cmd.exe	422
PID 4548 wrote to memory of 3136	4548	cmd.exe	421
PID 4548 wrote to memory of 3136	4548	cmd.exe	421
PID 4548 wrote to memory of 5064	4548	cmd.exe	420
PID 4548 wrote to memory of 5064	4548	cmd.exe	420
PID 4548 wrote to memory of 1460	4548	cmd.exe	418
PID 4548 wrote to memory of 1460	4548	cmd.exe	418
PID 4548 wrote to memory of 720	4548	cmd.exe	124
PID 4548 wrote to memory of 720	4548	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3068

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:1436
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2692

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BlockSync.mpg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3784

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\yo3315.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4312
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1248
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12484

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
563088ad0f20fabf9dd62c6ba8ae1636

SHA1
f9cd2fd153afa1a12ff990cf27c32b8c9c44e878

SHA256
eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184

SHA512
8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
659961b4eae8ba13f5ad6704e55232d3

SHA1
c75a74b0ad8eae70cd106ee46dca73e293fc336d

SHA256
eaa3487a839ee46d1b86fe325a049c77f3783b9248beb8be78f5d22450817425

SHA512
71f3a3bef7ba187f0b77f551aa901e8dbf1e853264c007af51ae49f58d18510f2efbeaafc674a96f1decd04718bb00c1f368e9e1ae984abbb4c6ec7fbfcadb53

Download Submit
C:\Users\Admin\Desktop\yo3315.bat

Filesize
28B

MD5
4a32a319f9e14dbee2c9a9793ce73a1e

SHA1
2bb06c5034b63820f7b3c9914b58efe247f3f4ea

SHA256
5b04e63730b4092f6be1d60cabfd671016678428989d5d2131b72d8a0fa1a626

SHA512
acc53245d1307d3fdede32687de695227ad253d956462e9d9ffbf092b9835580d56d85c3a6c492f39d618b93865462535d7526644cd166cd3b1fc4e0f5e39ad9

Download Submit
memory/2648-41-0x00007FF6939E0000-0x00007FF693AD8000-memory.dmp

Filesize
992KB

Download
memory/2648-42-0x00007FFEF88C0000-0x00007FFEF88F4000-memory.dmp

Filesize
208KB

Download
memory/2648-43-0x00007FFEF8600000-0x00007FFEF88B4000-memory.dmp

Filesize
2.7MB

Download
memory/2648-44-0x00007FFEF6AD0000-0x00007FFEF7B7B000-memory.dmp

Filesize
16.7MB

Download
memory/2648-45-0x00007FFEF5EC0000-0x00007FFEF5FD2000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads