d32f3a860b863d38f117c2e7efcaa6909583d418f8578b526a7ed0153529644b

Analysis

max time kernel
607s
max time network
609s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
19-07-2024 12:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Virus Maker.rar
Size

82KB
MD5

d1f61793e7898df4b27e3345764ceca8
SHA1

f03b91146aeaf753b565620a022a238830ed56d4
SHA256

d32f3a860b863d38f117c2e7efcaa6909583d418f8578b526a7ed0153529644b
SHA512

6491767f6db68886d000b173306377f3b0bf2d6db765ce4c14139c9ad09fa44e6cb75489f3858e45c4000333d2ad517721f81cc48e94de25c75c17cac36bb617
SSDEEP

1536:S0s/fG5w2aRBBNACjLkvSrfqAbv0Zarjg5AfDLCNE3Ztg/776X95:5s/+uRBmvMfzrhfbD2NStk76N5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4952	Virus Maker.exe
4992	upddisable.exe
7064	Virus Maker.exe
416	Virus Maker.exe
3988	pay1.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133658645372637389"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "224"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Virus Maker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000e958eb8d110050524f4752417e310000740009000400efbec5525961e958eb8d2e0000003f0000000000010000000000000000004a0000000000b131e700500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e958998a1000372d5a6970003c0009000400efbee958998ae958998a2e000000519d020000000a000000000000000000000000000000a774210037002d005a0069007000000014000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Virus Maker.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	chrome.exe
4568	chrome.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4176	OpenWith.exe
2756	7zFM.exe
3492	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2756	7zFM.exe
Token: 35	2756	7zFM.exe
Token: SeSecurityPrivilege	2756	7zFM.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2756	7zFM.exe
2756	7zFM.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe
6700	taskmgr.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4176	OpenWith.exe
4176	OpenWith.exe
4176	OpenWith.exe
4176	OpenWith.exe
4176	OpenWith.exe
4176	OpenWith.exe
4176	OpenWith.exe
4176	OpenWith.exe
4176	OpenWith.exe
4176	OpenWith.exe
4952	Virus Maker.exe
7064	Virus Maker.exe
7064	Virus Maker.exe
416	Virus Maker.exe
6536	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 2756	4176	OpenWith.exe	85
PID 4176 wrote to memory of 2756	4176	OpenWith.exe	85
PID 4568 wrote to memory of 328	4568	chrome.exe	98
PID 4568 wrote to memory of 328	4568	chrome.exe	98
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2760	4568	chrome.exe	99
PID 4568 wrote to memory of 2488	4568	chrome.exe	100
PID 4568 wrote to memory of 2488	4568	chrome.exe	100
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101
PID 4568 wrote to memory of 2396	4568	chrome.exe	101

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Virus Maker.rar"
1⤵
- Modifies registry class
PID:3164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Virus Maker.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5ff1cc40,0x7ffc5ff1cc4c,0x7ffc5ff1cc58
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1708,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4456,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1100
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff60bb14698,0x7ff60bb146a4,0x7ff60bb146b0
    3⤵
    - Drops file in Windows directory
    PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4620,i,6872717689203807067,12220494010413906912,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3272

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:948

C:\Users\Admin\Desktop\Virus Maker.exe
"C:\Users\Admin\Desktop\Virus Maker.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytfmdtyn\ytfmdtyn.cmdline"
  2⤵
  PID:3924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD7F9285FF174942A8C5B68276D2DC9A.TMP"
    3⤵
    PID:1712

C:\Users\Admin\Desktop\upddisable.exe
"C:\Users\Admin\Desktop\upddisable.exe"
1⤵
- Executes dropped EXE
PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3492
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2576
- - C:\Windows\system32\net.exe
    net user 21441 /add
    3⤵
    PID:1620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 21441 /add
      4⤵
      PID:4920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1064
- - C:\Windows\system32\net.exe
    net user 2889 /add
    3⤵
    PID:3116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 2889 /add
      4⤵
      PID:5096
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1824
- - C:\Windows\system32\net.exe
    net user 6439 /add
    3⤵
    PID:4604
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 6439 /add
      4⤵
      PID:2780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1592
- - C:\Windows\system32\net.exe
    net user 32216 /add
    3⤵
    PID:2420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 32216 /add
      4⤵
      PID:3752
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1648
- - C:\Windows\system32\net.exe
    net user 25045 /add
    3⤵
    PID:2396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 25045 /add
      4⤵
      PID:5012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2184
- - C:\Windows\system32\net.exe
    net user 2270 /add
    3⤵
    PID:2472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 2270 /add
      4⤵
      PID:3484
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4816
- - C:\Windows\system32\net.exe
    net user 16185 /add
    3⤵
    PID:2932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 16185 /add
      4⤵
      PID:2240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4080
- - C:\Windows\system32\net.exe
    net user 27769 /add
    3⤵
    PID:1320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 27769 /add
      4⤵
      PID:1204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3464
- - C:\Windows\system32\net.exe
    net user 15285 /add
    3⤵
    PID:4592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 15285 /add
      4⤵
      PID:2028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3612
- - C:\Windows\system32\net.exe
    net user 12604 /add
    3⤵
    PID:4224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 12604 /add
      4⤵
      PID:1088
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1220
- - C:\Windows\system32\net.exe
    net user 11877 /add
    3⤵
    PID:4808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 11877 /add
      4⤵
      PID:1612
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1880
- - C:\Windows\system32\net.exe
    net user 18269 /add
    3⤵
    PID:556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 18269 /add
      4⤵
      PID:748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3384
- - C:\Windows\system32\net.exe
    net user 3592 /add
    3⤵
    PID:2824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 3592 /add
      4⤵
      PID:1108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3236
- - C:\Windows\system32\net.exe
    net user 31867 /add
    3⤵
    PID:2476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 31867 /add
      4⤵
      PID:1188
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3444
- - C:\Windows\system32\net.exe
    net user 17463 /add
    3⤵
    PID:772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 17463 /add
      4⤵
      PID:4048
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4248
- - C:\Windows\system32\net.exe
    net user 25719 /add
    3⤵
    PID:3816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 25719 /add
      4⤵
      PID:4672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2892
- - C:\Windows\system32\net.exe
    net user 19278 /add
    3⤵
    PID:836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 19278 /add
      4⤵
      PID:2312
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2728
- - C:\Windows\system32\net.exe
    net user 30260 /add
    3⤵
    PID:3320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 30260 /add
      4⤵
      PID:3548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3924
- - C:\Windows\system32\net.exe
    net user 29879 /add
    3⤵
    PID:4088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 29879 /add
      4⤵
      PID:2708
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4688
- - C:\Windows\system32\net.exe
    net user 25402 /add
    3⤵
    PID:4380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 25402 /add
      4⤵
      PID:3228
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4060
- - C:\Windows\system32\net.exe
    net user 25211 /add
    3⤵
    PID:4488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 25211 /add
      4⤵
      PID:740
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3044
- - C:\Windows\system32\net.exe
    net user 10640 /add
    3⤵
    PID:4436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 10640 /add
      4⤵
      PID:4992
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4056
- - C:\Windows\system32\net.exe
    net user 22068 /add
    3⤵
    PID:4920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 22068 /add
      4⤵
      PID:5096
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2024
- - C:\Windows\system32\net.exe
    net user 6477 /add
    3⤵
    PID:3972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 6477 /add
      4⤵
      PID:1312
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4104
- - C:\Windows\system32\net.exe
    net user 18660 /add
    3⤵
    PID:564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 18660 /add
      4⤵
      PID:1448
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3484
- - C:\Windows\system32\net.exe
    net user 5029 /add
    3⤵
    PID:3812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 5029 /add
      4⤵
      PID:2968
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1128
- - C:\Windows\system32\net.exe
    net user 6720 /add
    3⤵
    PID:3920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 6720 /add
      4⤵
      PID:1204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2028
- - C:\Windows\system32\net.exe
    net user 14214 /add
    3⤵
    PID:864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 14214 /add
      4⤵
      PID:4460
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1340
- - C:\Windows\system32\net.exe
    net user 23391 /add
    3⤵
    PID:1524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 23391 /add
      4⤵
      PID:4300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2636
- - C:\Windows\system32\net.exe
    net user 4099 /add
    3⤵
    PID:1388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 4099 /add
      4⤵
      PID:3284
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2824
- - C:\Windows\system32\net.exe
    net user 6140 /add
    3⤵
    PID:444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 6140 /add
      4⤵
      PID:2356
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2076
- - C:\Windows\system32\net.exe
    net user 15126 /add
    3⤵
    PID:4048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 15126 /add
      4⤵
      PID:772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3816
- - C:\Windows\system32\net.exe
    net user 23206 /add
    3⤵
    PID:4176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 23206 /add
      4⤵
      PID:708
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3060
- - C:\Windows\system32\net.exe
    net user 29577 /add
    3⤵
    PID:3548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 29577 /add
      4⤵
      PID:4228
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:2336
- - C:\Windows\system32\net.exe
    net user 19350 /add
    3⤵
    PID:1212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 19350 /add
      4⤵
      PID:2124
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4068
- - C:\Windows\system32\net.exe
    net user 32513 /add
    3⤵
    PID:3680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 32513 /add
      4⤵
      PID:4488
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1708
- - C:\Windows\system32\net.exe
    net user 1789 /add
    3⤵
    PID:2136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 1789 /add
      4⤵
      PID:3100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1860
- - C:\Windows\system32\net.exe
    net user 18814 /add
    3⤵
    PID:3952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 18814 /add
      4⤵
      PID:5112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1448
- - C:\Windows\system32\net.exe
    net user 28431 /add
    3⤵
    PID:2544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 28431 /add
      4⤵
      PID:2240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4788
- - C:\Windows\system32\net.exe
    net user 466 /add
    3⤵
    PID:648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 466 /add
      4⤵
      PID:4800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4416
- - C:\Windows\system32\net.exe
    net user 7957 /add
    3⤵
    PID:1652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 7957 /add
      4⤵
      PID:536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:656
- - C:\Windows\system32\net.exe
    net user 26333 /add
    3⤵
    PID:236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 26333 /add
      4⤵
      PID:2908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:444
- - C:\Windows\system32\net.exe
    net user 4162 /add
    3⤵
    PID:888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 4162 /add
      4⤵
      PID:796
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:708
- - C:\Windows\system32\net.exe
    net user 13196 /add
    3⤵
    PID:2388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 13196 /add
      4⤵
      PID:4388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1168
- - C:\Windows\system32\net.exe
    net user 17967 /add
    3⤵
    PID:5016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 17967 /add
      4⤵
      PID:3976
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:228
- - C:\Windows\system32\net.exe
    net user 18415 /add
    3⤵
    PID:3680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 18415 /add
      4⤵
      PID:4992
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3092
- - C:\Windows\system32\net.exe
    net user 18466 /add
    3⤵
    PID:5112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 18466 /add
      4⤵
      PID:1304
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3812
- - C:\Windows\system32\net.exe
    net user 24547 /add
    3⤵
    PID:2704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 24547 /add
      4⤵
      PID:1936
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3808
- - C:\Windows\system32\net.exe
    net user 5508 /add
    3⤵
    PID:1492
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 5508 /add
      4⤵
      PID:2832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:236
- - C:\Windows\system32\net.exe
    net user 27679 /add
    3⤵
    PID:5036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 27679 /add
      4⤵
      PID:1992
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4228
- - C:\Windows\system32\net.exe
    net user 30531 /add
    3⤵
    PID:1152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 30531 /add
      4⤵
      PID:1236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4488
- - C:\Windows\system32\net.exe
    net user 2220 /add
    3⤵
    PID:3100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 2220 /add
      4⤵
      PID:2216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1304
- - C:\Windows\system32\net.exe
    net user 23781 /add
    3⤵
    PID:5112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 23781 /add
      4⤵
      PID:1604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1960
- - C:\Windows\system32\net.exe
    net user 9227 /add
    3⤵
    PID:536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 9227 /add
      4⤵
      PID:3284
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1256
- - C:\Windows\system32\net.exe
    net user 11164 /add
    3⤵
    PID:1212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 11164 /add
      4⤵
      PID:1236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:3112
- - C:\Windows\system32\net.exe
    net user 17555 /add
    3⤵
    PID:4992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 17555 /add
      4⤵
      PID:4916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1420
- - C:\Windows\system32\net.exe
    net user 22175 /add
    3⤵
    PID:1372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 22175 /add
      4⤵
      PID:536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4316
- - C:\Windows\system32\net.exe
    net user 1495 /add
    3⤵
    PID:1224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 1495 /add
      4⤵
      PID:4916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:4712
- - C:\Windows\system32\net.exe
    net user 5003 /add
    3⤵
    PID:536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 5003 /add
      4⤵
      PID:1236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1224
- - C:\Windows\system32\net.exe
    net user 30220 /add
    3⤵
    PID:2704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 30220 /add
      4⤵
      PID:1236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:1236
- - C:\Windows\system32\net.exe
    net user 21153 /add
    3⤵
    PID:1152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 21153 /add
      4⤵
      PID:888
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5160
- - C:\Windows\system32\net.exe
    net user 31686 /add
    3⤵
    PID:5168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 31686 /add
      4⤵
      PID:5188
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5236
- - C:\Windows\system32\net.exe
    net user 8729 /add
    3⤵
    PID:5244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 8729 /add
      4⤵
      PID:5268
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5316
- - C:\Windows\system32\net.exe
    net user 28300 /add
    3⤵
    PID:5324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 28300 /add
      4⤵
      PID:5344
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5392
- - C:\Windows\system32\net.exe
    net user 7393 /add
    3⤵
    PID:5400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 7393 /add
      4⤵
      PID:5428
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5468
- - C:\Windows\system32\net.exe
    net user 8459 /add
    3⤵
    PID:5476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 8459 /add
      4⤵
      PID:5500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5544
- - C:\Windows\system32\net.exe
    net user 18560 /add
    3⤵
    PID:5552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 18560 /add
      4⤵
      PID:5572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5620
- - C:\Windows\system32\net.exe
    net user 20984 /add
    3⤵
    PID:5628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 20984 /add
      4⤵
      PID:5648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5696
- - C:\Windows\system32\net.exe
    net user 8955 /add
    3⤵
    PID:5704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 8955 /add
      4⤵
      PID:5732
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5772
- - C:\Windows\system32\net.exe
    net user 24796 /add
    3⤵
    PID:5780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 24796 /add
      4⤵
      PID:5800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5844
- - C:\Windows\system32\net.exe
    net user 26858 /add
    3⤵
    PID:5860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 26858 /add
      4⤵
      PID:5880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:5920
- - C:\Windows\system32\net.exe
    net user 20062 /add
    3⤵
    PID:5928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 20062 /add
      4⤵
      PID:5948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:836

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4604

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3388

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:6280

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6700

C:\Users\Admin\Desktop\Virus Maker.exe
"C:\Users\Admin\Desktop\Virus Maker.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7064

C:\Users\Admin\Desktop\Virus Maker.exe
"C:\Users\Admin\Desktop\Virus Maker.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y1ukygvy\y1ukygvy.cmdline"
  2⤵
  PID:6284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F111D241C654B7D844D393360C570E8.TMP"
    3⤵
    PID:4916

C:\Users\Admin\Desktop\pay1.exe
"C:\Users\Admin\Desktop\pay1.exe"
1⤵
- Executes dropped EXE
PID:3988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Modifies registry class
  PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K payload2.bat
    3⤵
    PID:904
  - - C:\Windows\system32\shutdown.exe
      shutdown -s -t 00 -c "byeeeeee"
      4⤵
      PID:5140
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\msg.vbs"
    3⤵
    PID:6044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38a7855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d675539de5dda270fde9518dc8307ec4

SHA1
b6e208e1e3e42b1f67a78666402e692130626a20

SHA256
92cd0b6c701fa6fffbac801c63ef18b09fdf31414b98bbfcb7a8a2d9483ba8c8

SHA512
aba8ee2cc5da3bd090bb46c36f9d1042fe13df3d0cc8f5a7971b7aeff99be1fbad0836474d98bf514f8511738513f4af33e97a5434b0a957b895f4b71f3bbf2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
62d22b04cf5048cb341dc2bc806f85c6

SHA1
ac1e5a94b967ba441e3042ecbcde3fb80cf6d8fc

SHA256
91d78ad1a15d3fa25f9923b266b0fe519949d9394ab02f9c1a1b025b170191c8

SHA512
5b95423099c7fdf1f5c4f68ce2593198413cb68c80d9800490134c478a39f608d17cf466419a102ff424689175e615c2b6023cea58d4bdee2d2b83167b7c9d96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
71e31e0fc1690f5de846a663a083a441

SHA1
e3f58ca6e28d2a76d615e51338de08a1ab9afb07

SHA256
ce45af15432c26356689e1b39da53a10312e1778fb556efff8a432cce7537dcb

SHA512
446fb26565b4796b243bd9a7987c4a95c15cf18b28ccc06d3b71e97aa43a383185f5903e849ceef1005e7873a0af2adcdc5ab08811db07a2007ca985faedfebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
2c0c1e2b765ff3b1e2b113e64b028581

SHA1
1d91cb828a2775f97d7237a2ad7431d7aaac9ce7

SHA256
5d4275163749696721f18d63b250c97e84918fc60d8e3f7fb5ab62b2e6932a8e

SHA512
69cd4d9496b543bf66a2377d60bf57fec844db3263bdc068fa21e167abedbe3ced2be029d1420229ba6bb5f152c52229c763c93d6d27af7ab9d7e6dec246570f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
8499c03db0c1c1f5a5371d824a2c37b9

SHA1
fad99ac2dfbbd690748c6a3142379e69f6a6308f

SHA256
5374caf7d4fcbb803392558fef6a1356829900e1b86e6a50a967755a026bfc21

SHA512
63ab4f4d27b6ea8f628475b1aba6d58a27ffb818f373f1f11e22cc6cb12041d56803a34fea4c41251b1d2c84fba3853d7183b3610c8f6d263f55f78d5763cd01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d6b04189d12640701b95f5844345197

SHA1
a0b0d33d38280a57a64bbe5c52266af931f8b04a

SHA256
cb5d9658069b3598e3af5396cdd3cd41a01b75d55522055a9c390f49e8df5b19

SHA512
d2ad5f4763aaca7f51681dd9e4404fa98d0ea5970ee4f56864b8156cce554fcdbafcc3951a96abbfb74498e206a50145345c5e892a430010d503b54d08f6ad18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc70c761c6521e03450912a3deee7526

SHA1
a01da836851b896defc3a2e3afb1687777489eb7

SHA256
7ddc82c5b4c501721e592bbd0953c1c5641184e240b347ab6e1a4434bc7f4d26

SHA512
b8a0a7d633a87268861b8081b42b73d4c6639f03a253c75738d46ca4d22d28d2d835b0484c8070f2849e5ff12cc67b7160d048ada2f1e0838c9cacc1acaa6834

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4fa7ab64fd23c94139883b2c9537167

SHA1
024553a16bbff68ac6eff4e6d97c8139aff7df08

SHA256
054cc44127468ee9390a78aafda1c744fd2e692e477ed7e68f9d1a8ea3000729

SHA512
0480c018f99820e81611f16d6016edee07da7ef59a30e4b8d5d09d8bda71f27463dab9cbc081218e518d37d70ccd86c629e93edc1728a361ea9430741514df02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aadae94736f646c1c2dfa9139cd0f544

SHA1
f287e0b314101fdba9d3e2e27fcbf8980fffae5e

SHA256
658121c7b47b11ca3c227f9cc2c5eb1f5e9fbec1eff7c9cdcf61dafb144e49e7

SHA512
fd17c7105dd895eb2bb4cf0c7a91f1b7d817be0c26729317e7f6cd432294f3ef3385bd51677c05e6ff41524e33052a9a77b3be40edbdd2017c9945ae826ca46f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
83e308ec05f111f7bec1b2ff0fb843e0

SHA1
f5c652ae99c4519012c869e7fb9f5e041a78ef1c

SHA256
55ccf5bbc934df2e7dfe14e5db0f6281484326a11fad64a7d9b3f9f658212cf3

SHA512
8c7a124aaf77ace2cce42fa2f32c39d7f23a060bc97141ba5685bf7db94b2d355b06ccf3e4462e33813201ba5fa45a9af10c6b69d196765c59a4fc7564c1462b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
b3b14f3b8680c716c0c88442d39db1ff

SHA1
70080fa7ad36983ef0ad8db7d95415f8f262344b

SHA256
955dad4e041efa5e84a10706af1447080d1a6438f411f5e9fbea271ab7a65716

SHA512
21bbb31b4346801e58d2a4e79fabc95a07690707d4010ee96ed57171b13c3840d46101115eb850fdd06c2488490a249973a365c3324de9007e4e5b3bff810aa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
a7fe2d21a1925fff1eb3e97d774b1ead

SHA1
8976be6066d3f950e0d129b6a257fb90d28276a6

SHA256
81b3f4882d6ddcf3c262c3b875822758cbe7c98020a577c43293e8b401c2c9e1

SHA512
37193b5b144ce2f7d23af6de046d155c606dbb4702f59b68b9ee8bdfdc6edc556e0590b28254d4ff09ff44ef3c638a5b5b991a11e8b969c2f20238629949b2d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
021c4ddbf0978d7995e73ccd6dbd4ae2

SHA1
b151a357e67ad47d5070bc2b121146a0bfc73944

SHA256
b44b58692ae8bfab9e2f34d4968c6b88501de1c86a4712f5ff29b58c6e970e37

SHA512
544ee521c601ff7a5ea0587ab75bb484eba8544e0698109e7c73c3759bcde2067c8a167172aa854600b7ad2ee37378336c2d17fea55a582d685b3105a9c793a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
9586b42368c64b82ad3a653e49a04836

SHA1
fdf6ac6ff58572cb7568f18b05ac5a94fc63888d

SHA256
703f621ebbdd86d04023a80ab85e3db620c78ce18e714f63bd0e8a47170ddffd

SHA512
a0688470a5ec9d48835e17ddf08fe5b177c95f02b5afd680d575cc296100a7ad5560dcf8a4993016ca33215877e10fd4202cd1f5f2a6a7668888da7f4dccd238

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5BE.tmp

Filesize
1KB

MD5
225b1469e532682c8dee2e5ad9aec274

SHA1
6d05bd5da23e02587259fdc9fd41e201bcda18c5

SHA256
d818dbbc2bedbfd338e06e201194ede72b37a6353ff073467af109e57de5a653

SHA512
3bb77c0cfc2687e410c391190ab7b740150e15513e0bbac10423cb8c3bafa63ec95bb6a7372e44b2781a0e0dd88ad04a58de0d5920204d4e891b94761477d176

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
280B

MD5
dc7c814ef44e8d0717e21dad6b6b9aef

SHA1
84e0d8381b5b2231c9ea06bd0149bb9d2a6b667e

SHA256
2229079a60bc21e561423151f2ee0722a1a15ad82e7f3c23e9ddefe21a6ff163

SHA512
73d3646d0483994490a7f8b9f8a76ebf8dfb4565d2eac322f88238237a51cefeff02150da9e453909fdd992dbf973073e2acc4facea231a3570679144ffd97f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD7F9285FF174942A8C5B68276D2DC9A.TMP

Filesize
1KB

MD5
8613ae825351a93c3b553256c3924f68

SHA1
003f76811704a58e1fdbc83e393c8e44345bfe15

SHA256
34fc9c4ffb23e0e6a6139108e0e26fcfd9b3fc29787262cb3c2e61ab0bdd4885

SHA512
bc0ce5aa2dc59f63dc77f34bb17f63e02566fecf9bf5e85ba837e3a41b6a37619501d9daa9489528caaae9216ff9941590379f9f954f6328bd738f0506c401ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytfmdtyn\ytfmdtyn.0.vb

Filesize
1KB

MD5
eae67998ba7a922e63355aecf20920e4

SHA1
01659b1ebd477edfc49cbd341e76a9262a3fd4cf

SHA256
1752a2a335f447f2dfbb92b8ed17539d84725863cc4360f08778b3983cd66d39

SHA512
e567d136b18a26199ab711be2d4c450b646f34a214c152d166898e01bf4333396fdfde184ec4772b89910299cedc4533184290eb587d84931018b2d112e9d411

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytfmdtyn\ytfmdtyn.cmdline

Filesize
175B

MD5
0e40d39b2fa24d88c148f2961429df6e

SHA1
db1607c119e48e9e6e8a35b3f8e2738b05699f27

SHA256
42cda8d18acfe17356243d9fca6a8fd34b3a88cb61f2748dbdd229653e5a69e5

SHA512
9d21cc2c98d9803868e134f13c8d5b1a3859cf3b027aa2bbae81ad14c72671d507ddf97992e8684b955fd94283fa8a464370c933688097ed05fb5379b4004786

Download Submit
C:\Users\Admin\Desktop\Virus Maker.exe

Filesize
3.7MB

MD5
c00845708ee4e6cbaa628a0886076c4d

SHA1
e011d28a40304957961654e62d00754a772fdee8

SHA256
16f14bd60c84a7838b99c34a791d5d334f08ee1e588c95162290ced38db8b092

SHA512
2b6a09b934ad6076008ad1b8bc960b6c3bf39968275f9f46fe1afbed7228eb196b46172c175106da70af80ad78aafc327869e71860af6472c74867dba022fb59

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
60B

MD5
184c8fa5c3a20a8a209d8ca54b57a328

SHA1
0dbb507c884f34decde66ac5ce0993afeb4b554e

SHA256
981b9ae71c1bec5eaf7ab5e4172e3e335504a2e8eb5e7fa1e19a0de2df105856

SHA512
de795f3602e74fa9301f6c4c019039683dfebac96524f7158ab4836a9fd2b215722d8b2c0e00c3a9d7fabc537cafef68fd1e3e2157477b868ef86e677fc6a76f

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
120B

MD5
9a091c5fd9c7a3c72b8bccb450b505c2

SHA1
47ca7d759c71a7f0c5500237dde1af48e62f9d82

SHA256
68d27d152914eba85af7f31adcb704425391d51127d99439970f9fe9bdff39dd

SHA512
88340c48f37a109af1bb640082ad2d391468fba008b829c64d52815d28f6dd86ec24205a8ce468b07eeaffde6dbf3350beb86dc0409435ceac3684d87a71bc31

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
180B

MD5
0b1f8d24e7e23e2c022d9034dbdc7400

SHA1
f43037a4e87548bba0012b49944ada320128b4c8

SHA256
ab04ad0a94e04427860091da4888d6277fc90aab01f93dc257724806b39b7459

SHA512
c2e9dceb9e6180a39bed71077e5a2628eb12d2a79b5453ffef0dd1ab081bf9f31f8cc10dafe54698c098429a8816aa9a4f371a7efee414f039cf0fe8c05609fa

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
240B

MD5
c3c39d100239fcdad06672c96fc41bf3

SHA1
8b0c374cf8055f1273f5a3e3487d7fe50d6713db

SHA256
a1d369ee132f5c75b34f034631d830bb4a9e55ef51b122c2a5082f115407e3c7

SHA512
4bf7dc6fba1759b9acbe837dbb3668ae9a434e0fc92274111c7d7e9b733ee02825bac5b607f7df220a0513c1139bbdeee596baffd60ce3548dccd51bcfb4b56b

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
300B

MD5
3ba79a41c5a20f3284b615f6a01b98c8

SHA1
6358be9152df65accfbe7c9bd19e9946e504ed97

SHA256
cdf9764f73c439a96224d79e5defbfdbdb5ce05ba509317c5e0a2020e473c450

SHA512
0c090b157184cad3ef92be71331778b4deb75538cd4fc3b03449ffd01332e19869dd8b0860979e617ec887a5689444c0b14e92ab2633b5816ccd156c5cb51416

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
360B

MD5
b67cbe4faa3d200a05175c9be21ab628

SHA1
afd59f8ac27ec880cd09a42b11426f0a50eb3caa

SHA256
bf385d6d31058f75d71cd824cdc5040553da6eda9ddf7854286f992b8c4acd3e

SHA512
323dd581791b041d5bdc8f10b0555302b2e8f262399d7d569202820d0e7f58734e6ab552335a6c3f10dd5d553c1112e0e9f448688ce70e3cec619fbc20f4fa33

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
420B

MD5
165b835bd5db25808ada1fb0f0d1aab0

SHA1
7af6a92f7220060faa853bbbc9916798f8320dfa

SHA256
5ca85999186751d1463749c90e92e7785e3a7c84b9c1f3033c6ce49a3b984915

SHA512
6cc44c1e8f1bbfffb988d3d1916272adafc856abf836f34ba83fac8ea11f4624a4cfb874792b20234694aa8ccff0aa944e3512cf28cbf871cfe2df7a16da1305

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
480B

MD5
28ce160a9cf29d4974209208e0a3ed59

SHA1
6bd3c72750c58267ea66962a8b4ccbca241a1136

SHA256
883945095f6f06026443def44d79384d411780c34265850555e836c5f74b354e

SHA512
0365767cbc122e6a6b0405ee831061d650dfcdc006554dfde8e3fdd01fd5a0835ab1f9a8788ed52d736fc4c51d80f33658b35fd3225f9dab79e561c099390ade

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
540B

MD5
f5bc11a34808d8a5c54020c71b72c5ff

SHA1
074eed362f0e1f3579ca8bdf63b5963e072f4f62

SHA256
b963ec214574183e8e59f7768d8d0d445a067932ab9bb77ff99d07f3184fbd94

SHA512
fa84237b8cf11360657a352486f912e08569ef6e773d97c074d28e4b1f14dd20afbae22bef68abc303ba062c521f27f2105a8ce730906d8dec128bb08373e4a6

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
600B

MD5
8b4cb55ab2f7b2e3acc8629198139aad

SHA1
5bd7d406a80ea5ecd0e50681ba8b53a60744e238

SHA256
55594a170f13cce10f148dc7abc25ebb95cb496f5aa6e5d092153a5304c92734

SHA512
73283717ef9a316843d29a4989253ec7341b0a4ea71eab879260ab2bef4bff5b8804032443b507d9e2741575b2c514a8e2d7f7126d25d45a2ae0933c4ac9c502

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
660B

MD5
ae69bc5e95b78b6a59074d7366fef180

SHA1
a09336aaa25417c18c50b26f935ffaad609e6b2a

SHA256
ea72d9f7a24dc9f3502ee43aa548f32a472a05644037286ddccd9c3a995e0669

SHA512
a26f6724656f5750e11a0a344102e78efde6ca73ab87fab12423661f2060af9b6eec94147531b9f61d103a324ae0f34c22d98fc23ec43a9b7aaeb3e467a8fe2a

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
720B

MD5
848b2cefa18b80cb3f37e1a9cf25af56

SHA1
8ae457e562045770f50c66c60a662ee74d670471

SHA256
340281f960f67f0a57f5aaa114e1173ccf8b6c505774069cbfa04edf3a79e1d8

SHA512
e9622d76c711449fb02bb4ee5c0e981bd8ad429e5bfad1025e1f81e894241ce6d50edd3b72fbf6aebf6c42d44e9f63b3634163c956aeb1a675c0084fad251b40

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
780B

MD5
9db03ff6e2b709088d691f0d0adcad4c

SHA1
d1a529274cd05dcb524b56f829569f205b0c89f7

SHA256
9620c76a8984c9a6eeb12e5038bb96091ebb5e030f872ef28e4e3b4ee5bcca7c

SHA512
c6fcd703c616ce05d92e555c88cd7fd016ef0b389d23a7d41d7244a33c5f989e7318edf125604986014da74bcec46b5cc686b965b58c85f43d285e1ca88ca9d3

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
840B

MD5
6d2df40baa9dbab65c9504e0767e50cb

SHA1
1462db202916262894f8dfecc883119a30d62388

SHA256
81029d9c93bcd80438e72f8c16297f1fde1e6ac69dbb9e2cf633493edee2bdc7

SHA512
ed752b2d8d3ad377248a12ac8d484355f91c8d44af117f2de557a6cd3a94d57144c121211b22daa72af5787bbffcc73cc2c317a358c6f488316221152e2919c9

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
900B

MD5
e9e0a14b5aeb249243f50ce8067adcf0

SHA1
9eff20f50afda4e9f15ae1e04c00805dcea0fae0

SHA256
ba4ce157b09fc3efa63670523594d995bf7ba97dbc25a846587d8efac6fc4ba6

SHA512
df82713ccab4874d53bf8ce1820ec517f77119b545df0c304bab1a0aaecd6c47e272016b3a6aac5c41a2ec1d3d4a88410b4010c87e90ea3df6e1d829cfda29fc

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
960B

MD5
36d4071918cff6feb89568390d6d34a9

SHA1
e49e88393131ebd014a9561089dc234c75b55d83

SHA256
08288a7358b53b25a8ba87cb30d2827f17bd97e4a0db3c921e279b05d48edd2a

SHA512
2fc8dc3327af0f378761a26c3767437765d1d6ef75d5568f499f637cff69cd95adf466332cfd48da0cb86782a5a40322e491bdf571cad23cda29a60a8de4fcb3

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1020B

MD5
0ef8ca080cfbb5867dce9c88ad6c384e

SHA1
ab6bc9981fc1e41e53e217b48db472af1f99d986

SHA256
1d7bd3c1c297d4aae9e3a4b009fdcc1dfce9480a1b73f9f85c266a000c82f3c0

SHA512
a35dd897b57f870d5eca3818576e95365d57153b9076efe9734b847e3ed024e3dcd31e3159b05157ec529e91bb82c917b34e450a7175eae90fab91dd834e32e5

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1KB

MD5
9be841f5263c99c620758e2e7c4e89a6

SHA1
2dee9a99d943c1f59d8acfbf31c57f9aa70b4ded

SHA256
83fc7d41ea71f6dea74fc724502d12062079fa24a259040ca171e3361df8d889

SHA512
6b48ca855dcd0c740e41de18375266bd42541a5abc64d484491469f6f3c93172dd1d8f8a703f92b401f1cbbd612a5cb65f11c4b6cb3d4b9ff713f52d24b54c1e

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1KB

MD5
a5e042fe92ec0fc23e5f8022530d7621

SHA1
c04cdb321f87806fe1a43e1a63e408965270191b

SHA256
94d93f14ea43f199a903026f7998c8097ba8b086bbcf88469ae90a76f58c556a

SHA512
23bc0d872fe8a02e206b74acd1742015e4c9186b14d4e80aef59dd4e5cbcd6357249bb3ae22054ce4fd5d22ac982eb8c6815673fd2fa34ad73498497232c053c

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1KB

MD5
3d44991d51df7a725462b95d5a1dc5fa

SHA1
aee5ff3117c7121a35f13326ed630bbc68365ea5

SHA256
0ad49a509a1e2a86b34a8ce983dac2342f67f0af991c0377e99db2bc328d600f

SHA512
7cd140b40e338f66524ad61993d5b21d128babeb4c3d4620b7e6a28d9c24a33e7f0f1d5e7713c6179b4fb8a0f88d813306b3548e3bcaff9d1438d8ea3f84f8db

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1KB

MD5
236772a4ca1e66173382d41d22559b7f

SHA1
5542be59eb32f4934939c473daebc610cfcd37ad

SHA256
38fbb9f9df16a9a6f22d3b7d713169c1c2fffddf7ef883a77144702c434be6a6

SHA512
5d9eb3091ffd5d43bd8379a084fe00151dd5a31f48a42dbb6973e8ee625e27f15cc9d76ecd9354318adda845f4633c48c94efbc521a5d4bef72782d21d6758e9

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1KB

MD5
33c9544184bf675e9c4e3980571b87fc

SHA1
57ff9d17ebc3675b47e82b68c898c80e58bdbf3a

SHA256
bd135a49e45e83dffab47b63515ffb7a78678c97728c1a9166115f802e10bc1a

SHA512
894614d171aa22da410378ec69fe2a741ae67e135ff896ade8ef678e0cddc58c0c0d963d8c39219c5947f99452bc4cf1ee275ec6727accae5838bbe5946422ad

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1KB

MD5
bf50feff5d7a31b8fbc3fc1e0811426c

SHA1
a475102583c77f1b015bd6350d281260bc0cf8c4

SHA256
6ff18bb6c176f3a548a00dec7eec807dba7a8c311a3df63101fd3ab55b614d3f

SHA512
684bcaa9324d5a7a1a3f1c1c430f21a939eddbfb78b5619229efeeb06a408381bd9fed5310d549fa1b04de7d445e963d308f3069e31d59cfb6cc2f49ea9d21e7

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1KB

MD5
ebbe0f45c435f8dd20288e4e92f393d6

SHA1
f8a85debcf6ae1556003fb3e0d3acfb695c3a1a0

SHA256
1cb8afeadba22b5618b2efa332dcc171b1746efecdb63dda3b06f82414d88b4d

SHA512
8592283738081601935d9d1b1c2f9f56739f80906b14caf3ccecd85b34d665e4fa213a6fc6928e1c953987ae34a5235c55f38792d2eb4f419f241806c5915dcd

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
1KB

MD5
acd0270340d6c9713cba743fd36267e2

SHA1
a62ceeee979f781452669c808cec6011701c3b12

SHA256
5c4c53fb12860f6e7d84be6d29e02e3d43cb47b7b54c697c697e492e6e1b0539

SHA512
22f49ce5aa3b16e85b8e90f6ae32b54ccf9af6ab15e3bbc412a1cea1de41c0098fa592e332592445623e107a0e4d140ac9b49289b8dd459cabcf9290a63c97ad

Download Submit
C:\Users\Admin\Desktop\msg.vbs

Filesize
4KB

MD5
798b1b0e1eb814e03820499148f497e1

SHA1
09bfc6411e4b7bc485d6cd8db381a633d229ad10

SHA256
ea8eb4171306b411eaf7451177183022af10b2b6a3f25a5e8ea1d00d8f0c2bf2

SHA512
e7927730b2a53c3a6fcd78aa729507390402bce6682bfcbfdd0a19b22c462c9189e81a00a6c1108bab83d9e77a7c07c4c09e168cae2f96a9cb84640a5d341def

Download Submit
C:\Users\Admin\Desktop\upddisable.exe

Filesize
8KB

MD5
aad449f6fb8ff1e131eb12f90992b2dc

SHA1
d8e43455cb905455648046d7af9b3db25b873d4c

SHA256
9fe54253c430d8efad3c81fbd98a0e0172197fae87738cb20a3363bcee0ff724

SHA512
49c5ca226ad80cda4d9889ca26debf4e182b04b227a1786659be7497d845b30cd6f90fcec220c544ef3a99961c98ba945781ad7e2a0f5ca8895e8e6a6f4266bf

Download Submit
memory/3988-614-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/4952-245-0x0000000005460000-0x00000000054B6000-memory.dmp

Filesize
344KB

Download
memory/4952-244-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/4952-243-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/4952-242-0x00000000057E0000-0x0000000005D86000-memory.dmp

Filesize
5.6MB

Download
memory/4952-241-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/4952-240-0x0000000000350000-0x00000000006FE000-memory.dmp

Filesize
3.7MB

Download
memory/4992-263-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/6700-593-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-589-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-588-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-598-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-597-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-596-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-595-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-594-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-599-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download
memory/6700-587-0x000002A8C7490000-0x000002A8C7491000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads