Overview
overview
10Static
static
7Trojan/+.exe
windows7-x64
1Trojan/+.exe
windows10-2004-x64
1Trojan/0.9...35.exe
windows7-x64
8Trojan/0.9...35.exe
windows10-2004-x64
8Trojan/000.exe
windows7-x64
Trojan/000.exe
windows10-2004-x64
Trojan/0x07.exe
windows7-x64
8Trojan/0x07.exe
windows10-2004-x64
8Trojan/0xc6666666.exe
windows7-x64
1Trojan/0xc6666666.exe
windows10-2004-x64
1Trojan/10r...er.exe
windows7-x64
6Trojan/10r...er.exe
windows10-2004-x64
6Trojan/10r...et.exe
windows7-x64
Trojan/10r...et.exe
windows10-2004-x64
Trojan/13r...er.exe
windows7-x64
Trojan/13r...er.exe
windows10-2004-x64
6Trojan/13r...et.exe
windows7-x64
3Trojan/13r...et.exe
windows10-2004-x64
7Trojan/2repair.exe
windows7-x64
Trojan/2repair.exe
windows10-2004-x64
Trojan/3PC.exe
windows7-x64
1Trojan/3PC.exe
windows10-2004-x64
1Trojan/4mm...sy.exe
windows7-x64
1Trojan/4mm...sy.exe
windows10-2004-x64
1Trojan/666.exe
windows7-x64
Trojan/666.exe
windows10-2004-x64
Trojan/666...sy.exe
windows7-x64
1Trojan/666...sy.exe
windows10-2004-x64
1Trojan/9re...er.exe
windows7-x64
Trojan/9re...er.exe
windows10-2004-x64
Trojan/9re...et.exe
windows7-x64
3Trojan/9re...et.exe
windows10-2004-x64
7Analysis
-
max time kernel
69s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 23:32
Behavioral task
behavioral1
Sample
Trojan/+.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Trojan/+.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Trojan/0.950095298700035.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Trojan/0.950095298700035.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Trojan/000.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Trojan/000.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Trojan/0x07.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Trojan/0x07.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Trojan/0xc6666666.exe
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
Trojan/0xc6666666.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Trojan/10reset/10reset-helper.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Trojan/10reset/10reset-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Trojan/10reset/10reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Trojan/10reset/10reset.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Trojan/13reset/13reset-helper.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Trojan/13reset/13reset-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Trojan/13reset/13reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Trojan/13reset/13reset.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Trojan/2repair.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Trojan/2repair.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Trojan/3PC.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Trojan/3PC.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Trojan/4mm psy/4mm psy.exe
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
Trojan/4mm psy/4mm psy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Trojan/666.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Trojan/666.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Trojan/666mm psy/666mm psy.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Trojan/666mm psy/666mm psy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Trojan/9reset/9RESET-helper.exe
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
Trojan/9reset/9RESET-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Trojan/9reset/9reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Trojan/9reset/9reset.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
Trojan/2repair.exe
-
Size
10.2MB
-
MD5
795d891f34890796120931c1b74318a4
-
SHA1
9a698435df1e850479f66b08dd8ee84e7473b0eb
-
SHA256
327e9f126a7d897239ddafc8adbae981e6a4c00d4d3383846ceb8d2befefef04
-
SHA512
77234732395eac75687aeff81d40fc3e7b1f1d7e14b4df9f786f0aa7cc2bee04d5614dbd6cdd04fd310ea455c2747cd2c0a598143a886807e690c2cc01b06aa0
-
SSDEEP
196608:LgOzUNRd/74b/Mqe9NPnjRs6j+2ufWvi2DuFg3k7bwanYP9UX5hT84jWR/B:CRd83Klji52RhwPA92584jmB
Malware Config
Signatures
-
Processes:
antivirus-platinum.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" antivirus-platinum.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
antivirus-platinum.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" antivirus-platinum.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\nso73F9.tmp\GetVersion.dll acprotect -
Executes dropped EXE 37 IoCs
Processes:
Melting.exeAntivirusPlatinum.exe302746537.exeantivirus-platinum.exeAntivirus.exerunaway.exerunaway.exerunaway.exerunaway.exeBadgame.exerunaway.exerunaway.exeHydra.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exeMelting.exeMelting.exerunaway.exeSGen.exerunaway.exeMelting.exeMelting.exeMelting.exePCOptimizerProInstaller.exeVirusCan.exematrix.exebomb.exeChilledWindows.exepid process 2452 Melting.exe 2736 AntivirusPlatinum.exe 1196 2456 302746537.exe 2624 antivirus-platinum.exe 348 Antivirus.exe 2248 runaway.exe 1656 runaway.exe 1032 runaway.exe 2220 runaway.exe 1360 Badgame.exe 1400 runaway.exe 1444 runaway.exe 1328 Hydra.exe 1500 runaway.exe 1772 runaway.exe 2124 runaway.exe 2052 runaway.exe 2424 runaway.exe 2780 runaway.exe 2672 runaway.exe 2276 runaway.exe 2096 runaway.exe 2320 runaway.exe 2428 Melting.exe 1996 Melting.exe 1548 runaway.exe 2832 SGen.exe 1012 runaway.exe 2500 Melting.exe 2464 Melting.exe 2892 Melting.exe 1640 PCOptimizerProInstaller.exe 1944 VirusCan.exe 2524 matrix.exe 2692 bomb.exe 2708 ChilledWindows.exe -
Loads dropped DLL 9 IoCs
Processes:
cmd.exePCOptimizerProInstaller.exepid process 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 2648 cmd.exe 1640 PCOptimizerProInstaller.exe 1640 PCOptimizerProInstaller.exe 1640 PCOptimizerProInstaller.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Windows\302746537.exe upx behavioral19/memory/2456-49-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral19/memory/2624-70-0x0000000000400000-0x000000000040D000-memory.dmp upx C:\Windows\antivirus-platinum.exe upx behavioral19/memory/2456-73-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral19/memory/2624-151-0x0000000000400000-0x000000000040D000-memory.dmp upx \Users\Admin\AppData\Local\Temp\nso73F9.tmp\GetVersion.dll upx -
Processes:
antivirus-platinum.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" antivirus-platinum.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Antivirus.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" Antivirus.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
FreeMicrosoft.exedescription ioc process File opened for modification \??\PhysicalDrive0 FreeMicrosoft.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Antivirus.exedescription ioc process File created C:\Program Files (x86)\AnVi\splash.mp3 Antivirus.exe File created C:\Program Files (x86)\AnVi\virus.mp3 Antivirus.exe -
Drops file in Windows directory 10 IoCs
Processes:
AntivirusPlatinum.exeattrib.exedescription ioc process File opened for modification C:\Windows\COMCTL32.OCX AntivirusPlatinum.exe File created C:\Windows\MSCOMCTL.OCX AntivirusPlatinum.exe File opened for modification C:\Windows\MSCOMCTL.OCX AntivirusPlatinum.exe File opened for modification C:\Windows\302746537.exe AntivirusPlatinum.exe File created C:\Windows\__tmp_rar_sfx_access_check_259409070 AntivirusPlatinum.exe File opened for modification C:\Windows\antivirus-platinum.exe AntivirusPlatinum.exe File created C:\Windows\COMCTL32.OCX AntivirusPlatinum.exe File created C:\Windows\antivirus-platinum.exe AntivirusPlatinum.exe File created C:\Windows\302746537.exe AntivirusPlatinum.exe File opened for modification C:\windows\antivirus-platinum.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Trojan\PCOptimizerProInstaller.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Trojan\PCOptimizerProInstaller.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\Trojan\PCOptimizerProInstaller.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Trojan\PCOptimizerProInstaller.exe nsis_installer_2 -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 2676 timeout.exe 2696 timeout.exe 996 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1796 taskkill.exe -
Processes:
antivirus-platinum.exeAntivirus.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main antivirus-platinum.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main antivirus-platinum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS" antivirus-platinum.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main Antivirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" Antivirus.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
antivirus-platinum.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://secureservices2010.webs.com/scan" antivirus-platinum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" antivirus-platinum.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\CurVer\ = "COMCTL.ListViewCtrl.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "c:\\windows\\mscomctl.ocx, 2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF877890-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ = "IListSubItems" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "c:\\windows\\mscomctl.ocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612A8625-0FB3-11CE-8747-524153480004}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8A3-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}\ = "IImage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94442-E5E8-101B-B9B5-444553540000}\TypeLib\Version = "1.3" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32\ = "c:\\windows\\mscomctl.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8A8-850A-101B-AFC0-4210102A8DA7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9ED94441-E5E8-101B-B9B5-444553540000}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl.2\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A5-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\ = "IListItems" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8A7-850A-101B-AFC0-4210102A8DA7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Version\ = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\CurVer\ = "MSComctlLib.Toolbar.2" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8A1-850A-101B-AFC0-4210102A8DA7}\ = "IPanel10" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl.2\ = "Microsoft ProgressBar Control 6.0 (SP4)" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\ToolboxBitmap32\ = "c:\\windows\\comctl32.ocx, 17" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32 regsvr32.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 28 IoCs
Processes:
FreeMicrosoft.exeAntivirusPlatinum.exeAntivirus.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exeBadgame.exerunaway.exerunaway.exeHydra.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exeSGen.exerunaway.exerunaway.exePCOptimizerProInstaller.exeVirusCan.exematrix.exebomb.exepid process 2572 FreeMicrosoft.exe 2736 AntivirusPlatinum.exe 348 Antivirus.exe 2248 runaway.exe 1032 runaway.exe 1656 runaway.exe 2220 runaway.exe 1400 runaway.exe 1360 Badgame.exe 1444 runaway.exe 1500 runaway.exe 1328 Hydra.exe 1772 runaway.exe 2276 runaway.exe 2124 runaway.exe 2096 runaway.exe 2052 runaway.exe 2320 runaway.exe 2424 runaway.exe 2780 runaway.exe 2672 runaway.exe 2832 SGen.exe 1548 runaway.exe 1012 runaway.exe 1640 PCOptimizerProInstaller.exe 1944 VirusCan.exe 2524 matrix.exe 2692 bomb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Antivirus.exepid process 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1796 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Antivirus.exepid process 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Antivirus.exepid process 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
antivirus-platinum.exeAntivirus.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exerunaway.exepid process 2624 antivirus-platinum.exe 348 Antivirus.exe 1656 runaway.exe 2248 runaway.exe 1032 runaway.exe 2220 runaway.exe 1400 runaway.exe 1444 runaway.exe 1500 runaway.exe 1772 runaway.exe 2124 runaway.exe 2052 runaway.exe 2424 runaway.exe 2780 runaway.exe 2672 runaway.exe 2276 runaway.exe 2096 runaway.exe 2320 runaway.exe 1548 runaway.exe 1012 runaway.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe 348 Antivirus.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2repair.execmd.exeAntivirusPlatinum.exe302746537.execmd.exedescription pid process target process PID 2908 wrote to memory of 2648 2908 2repair.exe cmd.exe PID 2908 wrote to memory of 2648 2908 2repair.exe cmd.exe PID 2908 wrote to memory of 2648 2908 2repair.exe cmd.exe PID 2908 wrote to memory of 2648 2908 2repair.exe cmd.exe PID 2648 wrote to memory of 2676 2648 cmd.exe timeout.exe PID 2648 wrote to memory of 2676 2648 cmd.exe timeout.exe PID 2648 wrote to memory of 2676 2648 cmd.exe timeout.exe PID 2648 wrote to memory of 2572 2648 cmd.exe FreeMicrosoft.exe PID 2648 wrote to memory of 2572 2648 cmd.exe FreeMicrosoft.exe PID 2648 wrote to memory of 2572 2648 cmd.exe FreeMicrosoft.exe PID 2648 wrote to memory of 2572 2648 cmd.exe FreeMicrosoft.exe PID 2648 wrote to memory of 2452 2648 cmd.exe Melting.exe PID 2648 wrote to memory of 2452 2648 cmd.exe Melting.exe PID 2648 wrote to memory of 2452 2648 cmd.exe Melting.exe PID 2648 wrote to memory of 2736 2648 cmd.exe AntivirusPlatinum.exe PID 2648 wrote to memory of 2736 2648 cmd.exe AntivirusPlatinum.exe PID 2648 wrote to memory of 2736 2648 cmd.exe AntivirusPlatinum.exe PID 2648 wrote to memory of 2736 2648 cmd.exe AntivirusPlatinum.exe PID 2648 wrote to memory of 2736 2648 cmd.exe AntivirusPlatinum.exe PID 2648 wrote to memory of 2736 2648 cmd.exe AntivirusPlatinum.exe PID 2648 wrote to memory of 2736 2648 cmd.exe AntivirusPlatinum.exe PID 2648 wrote to memory of 2696 2648 cmd.exe timeout.exe PID 2648 wrote to memory of 2696 2648 cmd.exe timeout.exe PID 2648 wrote to memory of 2696 2648 cmd.exe timeout.exe PID 2736 wrote to memory of 2456 2736 AntivirusPlatinum.exe 302746537.exe PID 2736 wrote to memory of 2456 2736 AntivirusPlatinum.exe 302746537.exe PID 2736 wrote to memory of 2456 2736 AntivirusPlatinum.exe 302746537.exe PID 2736 wrote to memory of 2456 2736 AntivirusPlatinum.exe 302746537.exe PID 2736 wrote to memory of 2456 2736 AntivirusPlatinum.exe 302746537.exe PID 2736 wrote to memory of 2456 2736 AntivirusPlatinum.exe 302746537.exe PID 2736 wrote to memory of 2456 2736 AntivirusPlatinum.exe 302746537.exe PID 2456 wrote to memory of 2924 2456 302746537.exe cmd.exe PID 2456 wrote to memory of 2924 2456 302746537.exe cmd.exe PID 2456 wrote to memory of 2924 2456 302746537.exe cmd.exe PID 2456 wrote to memory of 2924 2456 302746537.exe cmd.exe PID 2924 wrote to memory of 2712 2924 cmd.exe regsvr32.exe PID 2924 wrote to memory of 2712 2924 cmd.exe regsvr32.exe PID 2924 wrote to memory of 2712 2924 cmd.exe regsvr32.exe PID 2924 wrote to memory of 2712 2924 cmd.exe regsvr32.exe PID 2924 wrote to memory of 2712 2924 cmd.exe regsvr32.exe PID 2924 wrote to memory of 2712 2924 cmd.exe regsvr32.exe PID 2924 wrote to memory of 2712 2924 cmd.exe regsvr32.exe PID 2924 wrote to memory of 2708 2924 cmd.exe ChilledWindows.exe PID 2924 wrote to memory of 2708 2924 cmd.exe ChilledWindows.exe PID 2924 wrote to memory of 2708 2924 cmd.exe ChilledWindows.exe PID 2924 wrote to memory of 2708 2924 cmd.exe ChilledWindows.exe PID 2924 wrote to memory of 2708 2924 cmd.exe ChilledWindows.exe PID 2924 wrote to memory of 2708 2924 cmd.exe ChilledWindows.exe PID 2924 wrote to memory of 2708 2924 cmd.exe ChilledWindows.exe PID 2924 wrote to memory of 2624 2924 cmd.exe antivirus-platinum.exe PID 2924 wrote to memory of 2624 2924 cmd.exe antivirus-platinum.exe PID 2924 wrote to memory of 2624 2924 cmd.exe antivirus-platinum.exe PID 2924 wrote to memory of 2624 2924 cmd.exe antivirus-platinum.exe PID 2924 wrote to memory of 2792 2924 cmd.exe attrib.exe PID 2924 wrote to memory of 2792 2924 cmd.exe attrib.exe PID 2924 wrote to memory of 2792 2924 cmd.exe attrib.exe PID 2924 wrote to memory of 2792 2924 cmd.exe attrib.exe PID 2648 wrote to memory of 348 2648 cmd.exe Antivirus.exe PID 2648 wrote to memory of 348 2648 cmd.exe Antivirus.exe PID 2648 wrote to memory of 348 2648 cmd.exe Antivirus.exe PID 2648 wrote to memory of 348 2648 cmd.exe Antivirus.exe PID 2648 wrote to memory of 2248 2648 cmd.exe runaway.exe PID 2648 wrote to memory of 2248 2648 cmd.exe runaway.exe PID 2648 wrote to memory of 2248 2648 cmd.exe runaway.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
antivirus-platinum.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" antivirus-platinum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" antivirus-platinum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System antivirus-platinum.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan\2repair.exe"C:\Users\Admin\AppData\Local\Temp\Trojan\2repair.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2CDA.tmp\2CDB.tmp\2CDC.bat C:\Users\Admin\AppData\Local\Temp\Trojan\2repair.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\FreeMicrosoft.exeFreeMicrosoft.exe3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exeMelting.exe3⤵
- Executes dropped EXE
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\AntivirusPlatinum.exeAntivirusPlatinum.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\WINDOWS\302746537.exe"C:\WINDOWS\302746537.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\44EC.tmp\302746537.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s c:\windows\comctl32.ocx6⤵
- Modifies registry class
PID:2712
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s c:\windows\mscomctl.ocx6⤵
- Modifies registry class
PID:2708
-
-
\??\c:\windows\antivirus-platinum.exec:\windows\antivirus-platinum.exe6⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2624
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h c:\windows\antivirus-platinum.exe6⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2792
-
-
-
-
-
C:\Windows\system32\timeout.exetimeout /t 23⤵
- Delays execution with timeout.exe
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Antivirus.exeAntivirus.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:348 -
C:\Windows\SysWOW64\net.exenet stop wscsvc4⤵PID:2192
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc5⤵PID:2964
-
-
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y4⤵PID:2384
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y5⤵PID:2796
-
-
-
C:\Windows\SysWOW64\net.exenet start winmgmt4⤵PID:3004
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt5⤵PID:2000
-
-
-
C:\Windows\SysWOW64\net.exenet start wscsvc4⤵PID:1712
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc5⤵PID:1356
-
-
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof4⤵PID:2056
-
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1656
-
-
C:\Windows\system32\taskkill.exetaskkill /IM lsass.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Badgame.exeBadgame.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1444
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Hydra.exeHydra.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exeMelting.exe3⤵
- Executes dropped EXE
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exeMelting.exe3⤵
- Executes dropped EXE
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\SGen.exeSGen.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2832 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\SFC4E30.tmp.vbs"4⤵PID:2088
-
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\runaway.exerunaway.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:1012
-
-
C:\Windows\system32\timeout.exetimeout /t 103⤵
- Delays execution with timeout.exe
PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exeMelting.exe3⤵
- Executes dropped EXE
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exeMelting.exe3⤵
- Executes dropped EXE
PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\Melting.exeMelting.exe3⤵
- Executes dropped EXE
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\PCOptimizerProInstaller.exePCOptimizerProInstaller.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\VirusCan.exeVirusCan.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1944 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\75CC.tmp\VirusCan.bat""4⤵PID:1768
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:268
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:864
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:772
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:584
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:2116
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:688
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1048
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:808
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1088
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:812
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:920
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\matrix.exematrix.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2524 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\75BC.tmp\75BD.tmp\75BE.bat C:\Users\Admin\AppData\Local\Temp\Trojan\matrix.exe"4⤵PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\bomb.exebomb.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan\ChilledWindows.exeChilledWindows.exe3⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2708 -s 6564⤵PID:1812
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
853B
MD59eed2c0c3293d9424e3edacf3b36615d
SHA11d7743263a25661055549dd913ec5c654fa99ffd
SHA2569780bbabc18e0a4cf00c87ffe12c36804fd1180c7e62ceb3f244820224dd15b2
SHA512cedcd3b4ea56f4495e5f0baf20795c1296130f65d5512b4a7adabd1cfc46c2af0f94e5678a74b9fc181371d2e34239bc1d833f908e599f7389ee53cd55a8b746
-
Filesize
348B
MD57d8beb22dfcfacbbc2609f88a41c1458
SHA152ec2b10489736b963d39a9f84b66bafbf15685f
SHA2564aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2
SHA512a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94
-
Filesize
443B
MD57fad92afda308dca8acfc6ff45c80c24
SHA1a7fa35e7f90f772fc943c2e940737a48b654c295
SHA25676e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA51249eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea
-
Filesize
82B
MD555dcde25c122c782757989a3c275fea2
SHA1a669581a58e6aa602cbdaf690e3e365fa4de570f
SHA2563aad2d3f7f3c5ef2676e33cc3be636f1929cf106707e88068ed8eee1ecfcb916
SHA512b9cd00ffc8e42d2cd1f37a3312655c12423c8fb145910ee2ac8abf0d06b5942b5754fdd60d6b94a125c3bf3a1e7818eded0bfe662dc3992dac10d9df3fcaa5f2
-
Filesize
2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
Filesize
739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
Filesize
61KB
MD5ebfbd478a8cfc0fb645b8559973690cb
SHA188ec8dff51b53beed128582bcaf86ea81f684a0f
SHA25662c99ea25fea9d3e5917114ada0406a333b1506697bd2bc28e9d676655232a59
SHA51230c5dbaf97d3b43edca2e0c9f98fe3e45a2b508880021ce624145549b295c46f4468118c2f5051be402d4eeb3d9791a5eb27f1cc242b3a639b8318be49315f82
-
Filesize
798KB
MD57a0dde676273569966f442d203b25b31
SHA196443c3966ce6d5cd332d8257be8fc3e9306c319
SHA2563c5aa7cf099b14996bba31ccd20be58c88c5c7a79fc6af43b081edef70da2803
SHA512bb999f7aa09120e326d66553a7c5278b7d6399b560fb255e2cb05e6d566f2c202d425c93cfa68604fa7f7098adcd177e5703a8ea683449810ac476eb2a3cd9cd
-
Filesize
624KB
MD5ed6850b4fd4bbe49853aa0c8d11c559f
SHA1bcb56054ff868be782b182d464287c59ae6817e8
SHA25653e4dea75cb5f625b174b47562a1739c309b9e883ca3b5c3f0273abb7acf682b
SHA512b822d6f05936d00a1fa21780aaa111355e197ddb01f1a31b3e0c01f55ae0da3e4965b26f5cdca08b0b577086299d949a467d13039e119344c766f44f796190db
-
Filesize
43KB
MD5b2eca909a91e1946457a0b36eaf90930
SHA13200c4e4d0d4ece2b2aadb6939be59b91954bcfa
SHA2560b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c
SHA512607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf
-
Filesize
12KB
MD5833619a4c9e8c808f092bf477af62618
SHA1b4a0efa26f790e991cb17542c8e6aeb5030d1ebf
SHA25692a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76
SHA5124f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11
-
Filesize
652KB
MD5714a82f547c2cf783201c7ab20edbc32
SHA1959a295c7d5818638c6bd452fd9b8e0b5c21602b
SHA25648264ea35fdb5b00e32f675465104f73e87c4ff81f7857ce13ff39bb6ff1e650
SHA51219f6471cb17cd8110ae2c160855620ae0016e7d7578de9c6418793b831692118222d7c5680bef820d11f617601efd67e0014c7d7172c9df8dd466821e397e77e
-
Filesize
374KB
MD582e0e9f8e0576837610117e6f705bc5c
SHA18e2dd01c4ab2ae1e9068b4578b78a2dedb859652
SHA25696f9af12f79ae73912bc483fa032bd928674799937e655423018410f5e3124f0
SHA5128df710ddeb284693371fc1ce38242ce493d5036db50027bf56b377b45f8cb928bc186ea3e4c1bb02265a76467b9bdad2aad440d73394882e9587f7d45517c185
-
Filesize
16KB
MD53e20f1b0a3bb4c8608844e47d92d2121
SHA1e2f84e46d4e63cbd091feeca686814752519596e
SHA256a23284c86e2b640fce315419157db159355efa61f0ed1b70e716584aa77b6793
SHA5121047304be5dcca4b71fed0c76db3bd4c42fcd2b163b6d93dc27be16fe90579d6a8c40655e76132b398ad430dadf7238267342adc2206025c9a77998c4214dd6b
-
Filesize
25KB
MD58edb51ed1d3241c4f026bb0d5de20f89
SHA19453b850f98062c0b3955a58c295a662be605efb
SHA256c26fc73c59765b9f8df9cf66f6bb81ce099097804a9f0bd4660f3f80e0639f47
SHA5120217f034da40cbe924ee8e73b024a3c5d86de1b7b12881d1b2909da2aba39661526b712acf9b390d000940ffbf3746e65a5687b7782635c24e844b36560c59f2
-
Filesize
96KB
MD505ad3f85b73e5ff86504f8dcc55b5d42
SHA1927d4554328cc6d767a566c3c6cb54c16d58857a
SHA256124cf5ca90e7aaede685fe0cda72b6a63b80583d2d5ec04d5baeb4a1851c48af
SHA5126fda7808e0b96caf3a1ff35734fec63f1e78cca6ae0abaa54fd5dd7bca6299a587b8f2c455b9385d7cf9b9cd9b74edbab1e37d8f98e8777059b3c3e2964feb18
-
Filesize
121KB
MD583726a8767faba50ea1b5f31afef5938
SHA170165dcc633f3390d98ae08c731113b007069737
SHA256e2636cb5e2b2ff10b27e3050e88801620494654017751d41e5a0725a5ce3b6c4
SHA512e190e655c4df6ed6b79a8bff97c56a8c736753ce86f181f1fb15a4c57914bec0f1b1a3c8736e49a715191f2e6637a67be2a58354187365894c5d846518d7e301
-
Filesize
8KB
MD5979b597855746aee2f30ee74f9d7c163
SHA156dd0b4bbc5ddcc3fab99ea2e8f781d8b7c7c05f
SHA256dc6ee4edbbbe1116a200b928f2b62dbc55594a9f79152bbb0076161a58546c11
SHA5126b7411b23fa0be275070bb08edb0293f7c5c00fffb7746afe0b4368e0a45e4c2743d3ef86417a610021577f70253bb0ca1c5d3398ac93d22d6672d2b16e0ec4e
-
Filesize
22KB
MD58703ff2e53c6fd3bc91294ef9204baca
SHA13dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA2563028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204
-
Filesize
9KB
MD5cd1800322ccfc425014a8394b01a4b3d
SHA1171073975effde1c712dfd86309457fd457aed33
SHA2568115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0
SHA51292c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6
-
Filesize
595KB
MD5821511549e2aaf29889c7b812674d59b
SHA13b2fd80f634a3d62277e0508bedca9aae0c5a0d6
SHA256f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4
SHA5128b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd
-
Filesize
1.0MB
MD5714cf24fc19a20ae0dc701b48ded2cf6
SHA1d904d2fa7639c38ffb6e69f1ef779ca1001b8c18
SHA25609f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712
SHA512d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1
-
Filesize
6KB
MD5dc9562578490df8bc464071f125bfc19
SHA156301a36ae4e3f92883f89f86b5d04da1e52770d
SHA2560351fe33a6eb13417437c1baaee248442fb1ecc2c65940c9996bcda574677c3f
SHA5129242f8e8ece707874ef61680cbfcba7fc810ec3a03d2cb2e803da59cc9c82badd71be0e76275574bc0c44cdfcef9b6db4e917ca8eb5391c5ae4b37e226b0c321
-
Filesize
5KB
MD5de3558ce305e32f742ff25b697407fec
SHA1d55c50c546001421647f2e91780c324dbb8d6ebb
SHA25698160b4ebb4870f64b13a45f5384b693614ae5ca1b5243edf461ca0b5a6d479a
SHA5127081654001cba9263e6fb8d5b8570ba29a3de89621f52524aa7941ba9e6dfd963e5ef7b073f193b9df70300af04d7f72f93d0241d8c70ccdbecfd9092e166cac