ca5c6e61ca4cbc89d631b7458004c13214b4f65638265448bc7742cc1681e77a

General

Target

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe
Size

11.8MB
MD5

f5710bcdcf51bf465e39c7cae9de6cb5
SHA1

e0facbe97030a8d9492a5c6250f6b6c7e876fe75
SHA256

ca5c6e61ca4cbc89d631b7458004c13214b4f65638265448bc7742cc1681e77a
SHA512

f63abcf8d6ccd9f7c23e92d088fd11bbf55e3a3e1c57d1bf5b8db39b7f00000809ad5c3c33b17bb1688b4bf870979af05865e0a4e86eb08aefd6d6cb946a3a0a
SSDEEP

98304:x1J/vWGql+sY74O06XIxz5jDV82YGkqB9b41FZWO6Yltm8zQHW:x1J/Nc3wIxz53V82YGkW9cZWnYltpzp

Score

5^/10

ransomware

Malware Config

Signatures

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\setwall.jpg"	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

Drops file in Windows directory 10 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeexplorer.execontrol.exeexplorer.execontrol.exeexplorer.execontrol.exeexplorer.exeexplorer.exeexplorer.execontrol.exeexplorer.exeexplorer.execontrol.execontrol.execontrol.execontrol.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 10 IoCs

Processes:

explorer.exe

pid	process
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

pid	process
4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe
1408	mspaint.exe
1376	mspaint.exe
1376	mspaint.exe
1408	mspaint.exe
2564	mspaint.exe
2564	mspaint.exe
4960	mspaint.exe
4960	mspaint.exe
3124	mspaint.exe
3124	mspaint.exe
2380	mspaint.exe
2380	mspaint.exe
3116	mspaint.exe
3116	mspaint.exe
3564	mspaint.exe
3564	mspaint.exe
2596	mspaint.exe
2596	mspaint.exe
3292	mspaint.exe
3292	mspaint.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe
Token: SeShutdownPrivilege	3012	explorer.exe
Token: SeCreatePagefilePrivilege	3012	explorer.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

explorer.exe

pid	process
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe
3012	explorer.exe

Suspicious use of SetWindowsHookEx 40 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

pid	process
1408	mspaint.exe
1376	mspaint.exe
2564	mspaint.exe
4960	mspaint.exe
3124	mspaint.exe
2380	mspaint.exe
3116	mspaint.exe
3564	mspaint.exe
2596	mspaint.exe
3292	mspaint.exe
2596	mspaint.exe
2596	mspaint.exe
2596	mspaint.exe
3124	mspaint.exe
3124	mspaint.exe
3124	mspaint.exe
3292	mspaint.exe
2564	mspaint.exe
3564	mspaint.exe
2380	mspaint.exe
1408	mspaint.exe
3292	mspaint.exe
3292	mspaint.exe
2564	mspaint.exe
2564	mspaint.exe
3564	mspaint.exe
3564	mspaint.exe
1408	mspaint.exe
1408	mspaint.exe
2380	mspaint.exe
2380	mspaint.exe
4960	mspaint.exe
1376	mspaint.exe
3116	mspaint.exe
4960	mspaint.exe
4960	mspaint.exe
3116	mspaint.exe
3116	mspaint.exe
1376	mspaint.exe
1376	mspaint.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

description	pid	process	target process
PID 4236 wrote to memory of 3292	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 3292	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 2596	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 2596	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 3116	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 3116	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 2380	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 2380	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 1408	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 1408	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 1376	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 1376	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 3564	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 3564	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 2564	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 2564	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 4960	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 4960	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 3124	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 3124	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 4236 wrote to memory of 856	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 856	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 4944	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 4944	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 924	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 924	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 2368	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 2368	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 1188	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 1188	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 2072	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 2072	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 4872	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 4872	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 1472	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 1472	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 3576	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 3576	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 2188	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 2188	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 4236 wrote to memory of 1276	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 1276	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 4964	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 4964	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 2492	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 2492	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 3816	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 3816	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 1576	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 1576	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 2080	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 2080	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 2528	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 2528	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 3480	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 3480	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 5092	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 5092	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 3964	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 4236 wrote to memory of 3964	4236	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3292

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2380

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SYSTEM32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:856

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:4944

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:924

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:2368

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:1188

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:2072

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:4872

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:1472

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:3576

C:\Windows\explorer.exe
"explorer.exe"
2⤵
- Modifies registry class
PID:2188

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
- Modifies registry class
PID:1276

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
- Modifies registry class
PID:4964

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
- Modifies registry class
PID:2492

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
- Modifies registry class
PID:3816

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
- Modifies registry class
PID:1576

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
PID:2080

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
PID:2528

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
- Modifies registry class
PID:3480

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
- Modifies registry class
PID:5092

C:\Windows\SYSTEM32\control.exe
"control.exe"
2⤵
- Modifies registry class
PID:3964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:5668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads