Analysis
-
max time kernel
871s -
max time network
879s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-08-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
tyler.jpg
Resource
win11-20240802-en
Errors
General
-
Target
tyler.jpg
-
Size
47KB
-
MD5
a4e8e2d3b2f54a7d91f73f25280e29f4
-
SHA1
77ecb0a6391a72b0deba66b651adc70aa9e31e97
-
SHA256
67b2c63de52b106cb5067d162d231d04d9a4c977b470014b8bd7e3142451c0c7
-
SHA512
5c100af3d55901a5aff5c53490c797b243315cd66a2c319cdbcd1b15308470fcda987222bf236ef415fdd35cd0803b9b08aac8843d2d9fcdbf1f79d4e5fadb48
-
SSDEEP
768:HDZyIdPap+jg0263KE+lP2CDvz9IT7S+uulO+M0+Kd4d9gg770gde4avcC+8JnGs:HDRdPE+kA6EO2O+z5lfV+KdA9gg7Y4a5
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
crimsonrat
185.136.161.124
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description flow ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe 91 bot.whatismyipaddress.com Process not Found Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/1672-799-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000100000002ad05-507.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Renames multiple (3280) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x000d00000002ad26-781.dat revengerat -
Disables Task Manager via registry modification
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93b36425.exe explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe -
Executes dropped EXE 64 IoCs
pid Process 5336 dlrarhsiva.exe 4680 svchost.exe 3740 butterflyondesktop.tmp 5840 ButterflyOnDesktop.exe 2592 svchost.exe 668 svchost.exe 4664 svchost.exe 3020 svchost.exe 880 svchost.exe 5960 svchost.exe 4236 svchost.exe 976 Free YouTube Downloader.exe 4340 svchost.exe 3008 taskhost.exe 2224 svchost.exe 1492 svchost.exe 1488 taskhost.exe 4056 svchost.exe 4732 svchost.exe 2052 taskhost.exe 2704 svchost.exe 2308 svchost.exe 1956 taskhost.exe 3288 svchost.exe 1952 svchost.exe 4216 taskhost.exe 3352 svchost.exe 5304 svchost.exe 1368 taskhost.exe 3204 svchost.exe 2604 svchost.exe 2884 taskhost.exe 1344 svchost.exe 1828 svchost.exe 964 taskhost.exe 2880 svchost.exe 5016 svchost.exe 4648 taskhost.exe 1928 svchost.exe 3536 svchost.exe 5256 taskhost.exe 3084 svchost.exe 5388 svchost.exe 668 taskhost.exe 2484 svchost.exe 4724 svchost.exe 1228 taskhost.exe 1932 svchost.exe 1184 svchost.exe 1068 taskhost.exe 5208 svchost.exe 5652 svchost.exe 5712 taskhost.exe 1008 svchost.exe 2776 svchost.exe 3720 taskhost.exe 1744 svchost.exe 4700 svchost.exe 3236 taskhost.exe 4980 svchost.exe 812 svchost.exe 736 taskhost.exe 5200 svchost.exe 5548 svchost.exe -
resource yara_rule behavioral1/memory/3656-9146-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/3656-9148-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2864-9152-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/6060-9155-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/6060-9157-0x0000000000400000-0x0000000000454000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b36425 = "C:\\Users\\Admin\\AppData\\Roaming\\93b36425.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3b3642 = "C:\\93b36425\\93b36425.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3b36425 = "C:\\Users\\Admin\\AppData\\Roaming\\93b36425.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" FreeYoutubeDownloader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe" Sevgi.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe" Sevgi.a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b3642 = "C:\\93b36425\\93b36425.exe" explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 26 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Program Files\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\desktop.ini HawkEye.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\K: 000.exe File opened (read-only) \??\S: 000.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\B: 000.exe File opened (read-only) \??\Q: 000.exe File opened (read-only) \??\U: 000.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\L: 000.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\G: 000.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\J: 000.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\A: 000.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\E: 000.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\I: 000.exe File opened (read-only) \??\R: 000.exe File opened (read-only) \??\H: 000.exe File opened (read-only) \??\M: 000.exe File opened (read-only) \??\O: 000.exe File opened (read-only) \??\T: 000.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\Z: 000.exe File opened (read-only) \??\Y: 000.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\V: 000.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 147 0.tcp.ngrok.io 173 0.tcp.ngrok.io 209 0.tcp.ngrok.io 228 0.tcp.ngrok.io 247 0.tcp.ngrok.io 251 0.tcp.ngrok.io 72 0.tcp.ngrok.io 95 0.tcp.ngrok.io -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 280 ip-addr.es 55 ip-addr.es 67 ip-addr.es 91 bot.whatismyipaddress.com 136 ip-addr.es 170 ip-addr.es 206 ip-addr.es 242 ip-addr.es -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper 000.exe -
Suspicious use of SetThreadContext 20 IoCs
description pid Process procid_target PID 4788 set thread context of 4792 4788 RevengeRAT.exe 120 PID 4792 set thread context of 3888 4792 RegSvcs.exe 121 PID 4680 set thread context of 5736 4680 svchost.exe 192 PID 5736 set thread context of 5864 5736 RegSvcs.exe 193 PID 2592 set thread context of 2460 2592 svchost.exe 242 PID 2460 set thread context of 6104 2460 RegSvcs.exe 243 PID 668 set thread context of 5216 668 svchost.exe 246 PID 5216 set thread context of 3556 5216 RegSvcs.exe 247 PID 4664 set thread context of 336 4664 svchost.exe 250 PID 336 set thread context of 2180 336 RegSvcs.exe 251 PID 3020 set thread context of 5896 3020 svchost.exe 254 PID 5896 set thread context of 5400 5896 RegSvcs.exe 255 PID 880 set thread context of 3948 880 svchost.exe 258 PID 3948 set thread context of 3980 3948 RegSvcs.exe 259 PID 5960 set thread context of 4356 5960 svchost.exe 263 PID 4356 set thread context of 3284 4356 RegSvcs.exe 264 PID 4236 set thread context of 4688 4236 svchost.exe 276 PID 4688 set thread context of 668 4688 RegSvcs.exe 277 PID 2440 set thread context of 1864 2440 svchost.exe 416 PID 1864 set thread context of 3404 1864 RegSvcs.exe 417 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-125.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\keyframes.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\WeatherStoreLogo.scale-125.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-80.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-32.png HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30_altform-lightunplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Wide.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSplashScreen.scale-200.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-30_altform-lightunplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\createRef.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-60_altform-unplated_contrast-white.png HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-64_altform-lightunplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30_altform-lightunplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_SplashScreen.scale-100.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\msapp-error.html HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-40.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png HawkEye.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\SelectedItemsList.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\compat\Button.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-96_altform-unplated.png HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\index.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.scale-200_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\index.js HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-72.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_AppList.scale-200_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Overlay.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-125.png HawkEye.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe FreeYoutubeDownloader.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe FreeYoutubeDownloader.exe File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini FreeYoutubeDownloader.exe File created C:\Windows\notepad.dll.sys.exe Zika.exe File opened for modification C:\Windows\notepad.dll.sys.exe Zika.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe FreeYoutubeDownloader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 348 2808 WerFault.exe 420 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zika.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlueScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FreeYoutubeDownloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
pid Process 2256 taskkill.exe 4972 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31127767" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2596495725" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open\command\ = "\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Open \"%L\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\䆟縀䆁\ = "crypt_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\ = "&Play" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon 000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile 000.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\.crypt\ = "crypt_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\䆟縀䆁 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9991" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" 000.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{AD14DE55-C5EC-4C2B-A333-F43E6E122137} 000.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{B9717A99-8D56-4C55-A543-9B7F99E3BC8A} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\command\ = "\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Play \"%L\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\ = "Play" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\.crypt OpenWith.exe -
NTFS ADS 23 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe File created C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\Recovery.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2010_x64.log.html.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\$Recycle.Bin.exe\:Zone.Identifier:$DATA Zika.exe File created C:\93b36425.exe\:Zone.Identifier:$DATA Zika.exe File created C:\Documents and Settings.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\svchost\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\PerfLogs.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2010_x86.log.html.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe\:Zone.Identifier:$DATA Zika.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1520 msedge.exe 1520 msedge.exe 4232 msedge.exe 4232 msedge.exe 240 msedge.exe 240 msedge.exe 5888 msedge.exe 5888 msedge.exe 872 identity_helper.exe 872 identity_helper.exe 584 msedge.exe 584 msedge.exe 584 msedge.exe 584 msedge.exe 5836 msedge.exe 5836 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1520 OpenWith.exe 1352 Sevgi.a.exe 2976 Sevgi.a.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1092 CryptoWall.exe 852 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4788 RevengeRAT.exe Token: SeDebugPrivilege 4792 RegSvcs.exe Token: SeDebugPrivilege 4680 svchost.exe Token: SeDebugPrivilege 5736 RegSvcs.exe Token: SeDebugPrivilege 1672 HawkEye.exe Token: SeDebugPrivilege 2592 svchost.exe Token: SeDebugPrivilege 2460 RegSvcs.exe Token: SeDebugPrivilege 668 svchost.exe Token: SeDebugPrivilege 5216 RegSvcs.exe Token: SeDebugPrivilege 4664 svchost.exe Token: SeDebugPrivilege 336 RegSvcs.exe Token: SeDebugPrivilege 3020 svchost.exe Token: SeDebugPrivilege 5896 RegSvcs.exe Token: SeDebugPrivilege 880 svchost.exe Token: SeDebugPrivilege 3948 RegSvcs.exe Token: SeDebugPrivilege 5960 svchost.exe Token: SeDebugPrivilege 4356 RegSvcs.exe Token: SeShutdownPrivilege 884 wmplayer.exe Token: SeCreatePagefilePrivilege 884 wmplayer.exe Token: SeShutdownPrivilege 2028 unregmp2.exe Token: SeCreatePagefilePrivilege 2028 unregmp2.exe Token: SeDebugPrivilege 4236 svchost.exe Token: SeDebugPrivilege 4688 RegSvcs.exe Token: SeDebugPrivilege 4472 Zika.exe Token: SeDebugPrivilege 2440 svchost.exe Token: SeDebugPrivilege 1864 RegSvcs.exe Token: SeShutdownPrivilege 2808 000.exe Token: SeCreatePagefilePrivilege 2808 000.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeShutdownPrivilege 2808 000.exe Token: SeCreatePagefilePrivilege 2808 000.exe Token: SeShutdownPrivilege 2808 000.exe Token: SeCreatePagefilePrivilege 2808 000.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeIncreaseQuotaPrivilege 3916 WMIC.exe Token: SeSecurityPrivilege 3916 WMIC.exe Token: SeTakeOwnershipPrivilege 3916 WMIC.exe Token: SeLoadDriverPrivilege 3916 WMIC.exe Token: SeSystemProfilePrivilege 3916 WMIC.exe Token: SeSystemtimePrivilege 3916 WMIC.exe Token: SeProfSingleProcessPrivilege 3916 WMIC.exe Token: SeIncBasePriorityPrivilege 3916 WMIC.exe Token: SeCreatePagefilePrivilege 3916 WMIC.exe Token: SeBackupPrivilege 3916 WMIC.exe Token: SeRestorePrivilege 3916 WMIC.exe Token: SeShutdownPrivilege 3916 WMIC.exe Token: SeDebugPrivilege 3916 WMIC.exe Token: SeSystemEnvironmentPrivilege 3916 WMIC.exe Token: SeRemoteShutdownPrivilege 3916 WMIC.exe Token: SeUndockPrivilege 3916 WMIC.exe Token: SeManageVolumePrivilege 3916 WMIC.exe Token: 33 3916 WMIC.exe Token: 34 3916 WMIC.exe Token: 35 3916 WMIC.exe Token: 36 3916 WMIC.exe Token: SeIncreaseQuotaPrivilege 3916 WMIC.exe Token: SeSecurityPrivilege 3916 WMIC.exe Token: SeTakeOwnershipPrivilege 3916 WMIC.exe Token: SeLoadDriverPrivilege 3916 WMIC.exe Token: SeSystemProfilePrivilege 3916 WMIC.exe Token: SeSystemtimePrivilege 3916 WMIC.exe Token: SeProfSingleProcessPrivilege 3916 WMIC.exe Token: SeIncBasePriorityPrivilege 3916 WMIC.exe Token: SeCreatePagefilePrivilege 3916 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 5840 ButterflyOnDesktop.exe 976 Free YouTube Downloader.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 5536 FreeYoutubeDownloader.exe 4340 svchost.exe 3008 taskhost.exe 2224 svchost.exe 1492 svchost.exe 1488 taskhost.exe 4056 svchost.exe 4732 svchost.exe 2052 taskhost.exe 2704 svchost.exe 2308 svchost.exe 1956 taskhost.exe 3288 svchost.exe 1952 svchost.exe 4216 taskhost.exe 3352 svchost.exe 5304 svchost.exe 1368 taskhost.exe 3204 svchost.exe 2604 svchost.exe 2884 taskhost.exe 1344 svchost.exe 1828 svchost.exe 964 taskhost.exe 2880 svchost.exe 5016 svchost.exe 4648 taskhost.exe 1928 svchost.exe 3536 svchost.exe 5256 taskhost.exe 3084 svchost.exe 5388 svchost.exe 668 taskhost.exe 2484 svchost.exe 4724 svchost.exe 1228 taskhost.exe 1932 svchost.exe 1184 svchost.exe 1068 taskhost.exe 5208 svchost.exe 5652 svchost.exe 5712 taskhost.exe 1008 svchost.exe 2776 svchost.exe 3720 taskhost.exe 1744 svchost.exe 4700 svchost.exe 3236 taskhost.exe 4980 svchost.exe 812 svchost.exe 736 taskhost.exe 5200 svchost.exe 5548 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4232 wrote to memory of 504 4232 msedge.exe 86 PID 4232 wrote to memory of 504 4232 msedge.exe 86 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 1520 4232 msedge.exe 88 PID 4232 wrote to memory of 1520 4232 msedge.exe 88 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tyler.jpg1⤵PID:4856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Chimera
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff69d23cb8,0x7fff69d23cc8,0x7fff69d23cd82⤵PID:504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:22⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:12⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:82⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1312 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:5896
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1608
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5580
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1504
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"1⤵
- Suspicious behavior: MapViewOfSection
PID:1092 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:852 -
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵PID:5992
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4792 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:3888
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0dgwxne.cmdline"3⤵PID:2576
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51501822919D442D895662A8F98A3272.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5880
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhlsktv4.cmdline"3⤵PID:676
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74173E1DD634135AE5DBE1C3ADDCE7.TMP"4⤵PID:3000
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ar5qqvyc.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2A6411982CA4FE4AFE1CE79FD3CFFF4.TMP"4⤵PID:336
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qnrzjkrx.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A63AE6EC6FD4E57B161D5D628D71654.TMP"4⤵PID:5116
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gjvwqly5.cmdline"3⤵PID:1536
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49A19A9BC5B84D528EFE66F7F1F6AAB6.TMP"4⤵PID:5756
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ti7slir-.cmdline"3⤵PID:1672
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF13AEA1EAA9D40D2A159D8B8D1868CA2.TMP"4⤵PID:4880
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\txlz_2d_.cmdline"3⤵PID:1060
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D97374361B34D80A4E13F470452DE4.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5556
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xu3-gubl.cmdline"3⤵PID:6088
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC820091FAA43FFAD8743E0012FBF9.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1180
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkbq_nig.cmdline"3⤵PID:3204
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BB463AAA3344EDE8B2ECCD32CAA67BC.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vxmzpsgw.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE055.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCABC9649EF974364B4CD53D68F8FF9C2.TMP"4⤵PID:3320
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fxynonoi.cmdline"3⤵PID:3592
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1127028429364F9A8CC4428EBA696F82.TMP"4⤵PID:4996
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ot3btmh6.cmdline"3⤵PID:920
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE140.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FA719A995174E7B8EA08555EB2F6B28.TMP"4⤵PID:2136
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kexetxfq.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE19D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1FFAEC6CFFF42F6A59D184C80262BAD.TMP"4⤵PID:2336
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5glsbtx3.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE20B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C5EA827E40D4889A0D88B71EE49874.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4648
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\96c9vdyv.cmdline"3⤵PID:3424
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE288.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc800CE4A5B0704FCCBB304D38F9DD8810.TMP"4⤵PID:1012
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgupcxjy.cmdline"3⤵PID:5520
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE305.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC328533C11894A79AFFF53E1C68EDD9.TMP"4⤵PID:5608
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7o9mqxkz.cmdline"3⤵PID:5772
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE391.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A2FD9EE12440D3895D566E1A80A95.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4744
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xlwc0ipe.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20E88E9E77C4AE8B648553C674A4FB0.TMP"4⤵PID:3908
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_sf2_ne.cmdline"3⤵PID:1800
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE45C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBEAEF08BE0304EED8B6AC56D258A92F.TMP"4⤵PID:668
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_ib6jf6m.cmdline"3⤵PID:4664
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB36D8D90D70C45EDB8715BE1AE562A93.TMP"4⤵PID:3000
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cszqclbx.cmdline"3⤵PID:1064
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE537.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5508BE1CADFE4CBA97706582EDF1C679.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5628
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omgyehiq.cmdline"3⤵PID:4944
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE138846F2854C3687A575B247F69A73.TMP"4⤵PID:5576
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
PID:5864
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:1820
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6nkfbd0m.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA808FC774EE45AD997452FBCD412D2A.TMP"6⤵PID:3228
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dr6pgtmu.cmdline"5⤵PID:1848
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D1C4B5ACF21418CAE3D51CB599EC5D.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:4224
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wi5ex7ct.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD92F7377E0904C64B43115F6FFC0EE39.TMP"6⤵PID:2032
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ua3fzduw.cmdline"5⤵PID:6032
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2F062FEA2B64E3EA9A313A4C0C3C033.TMP"6⤵PID:1208
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nfpdlzo-.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD439EB3BD81A46F2A31CA75D26E8FD49.TMP"6⤵PID:5352
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uljf0nws.cmdline"5⤵PID:3020
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA30B396DA6942C3B2C4E770A97297D3.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:5628
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owriua1a.cmdline"5⤵PID:5968
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA00B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC49640E45CB54AB697CCBE9FF43AF6C3.TMP"6⤵PID:5792
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1th_zprm.cmdline"5⤵PID:2544
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA069.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA29DF7C13EA41CA9666F8CEDB781B50.TMP"6⤵PID:4484
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ijptltre.cmdline"5⤵PID:2880
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC2B20AB8066449B86A3EECA8AEFFE64.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:1840
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g5bqf-pt.cmdline"5⤵PID:1636
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA134.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A5BA1F870A04C5EA2CA1B4B1E245EED.TMP"6⤵PID:4328
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yaasgmt-.cmdline"5⤵PID:804
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc210D8471DF4A41BAEBCBB1CCE7B429.TMP"6⤵PID:2084
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvgbtpya.cmdline"5⤵PID:5212
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5535.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F8045616034402A8823CFB03BACB26.TMP"6⤵PID:4460
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhqoipso.cmdline"5⤵PID:4616
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y0ayfywh.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC68ADA7CDEA74C9090ACE6776B2A3C.TMP"6⤵PID:996
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhca86hz.cmdline"5⤵PID:5272
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES565E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2C688F4E9C84BF7995AF0BDCE148FB8.TMP"6⤵PID:4032
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gxldnbhz.cmdline"5⤵PID:496
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6443FC0AFC94566804F581BE8DD26D6.TMP"6⤵PID:6008
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmq3of2v.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5748.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc327C098ACC3A40B983FD1CA28E1F4A39.TMP"6⤵PID:5280
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\otstmiai.cmdline"5⤵PID:5536
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc835F74479B854BFC9A35BE4C2F3E683.TMP"6⤵PID:4064
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hsnbtmtj.cmdline"5⤵PID:3380
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5833.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E5CD5ED65A4943B7E6851D283A889B.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:5116
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qja4a2nk.cmdline"5⤵PID:2792
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F89AFEABAA24D5592C93F246E9F8C1.TMP"6⤵PID:692
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xqazpibx.cmdline"5⤵PID:5404
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES590D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3502CD1D99C74BD68EE164C8EA72FEB.TMP"6⤵PID:5448
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vki49rqs.cmdline"5⤵PID:2512
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES598A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A0FC5D8A684FE6A4988A72A48B103A.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:584
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmxoyeaz.cmdline"5⤵PID:2352
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6CE288F9AB648B9BE5992E0D18AA83B.TMP"6⤵PID:1124
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_b4ymzd.cmdline"5⤵PID:2164
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47B09020A4CC412A82741A36D4C854C8.TMP"6⤵PID:2988
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u2xflg30.cmdline"5⤵PID:5176
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE10CBD702D3D45A4ADB74490163FF99D.TMP"6⤵PID:1424
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksozbmit.cmdline"5⤵PID:5004
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD955F8AB72442DAB062272E491E490.TMP"6⤵PID:1208
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihuk6w6b.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:4396 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F92ACB9661342DC9BD569C342CA3D4.TMP"6⤵PID:5748
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytnmcq2a.cmdline"5⤵PID:1944
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDC29DBE83B747DD9FB2336AA41D5D8.TMP"6⤵PID:5588
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jlib7jpt.cmdline"5⤵PID:3204
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0F4202B44F2471F814D89E36844C7E8.TMP"6⤵PID:2604
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzmtgdc_.cmdline"5⤵PID:2324
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E88F241662A4D23ABDD119CE18D3D8F.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:3244
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t0hjq9j0.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF941386EC024A97A65553391857A67.TMP"6⤵PID:2392
-
-
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵PID:3560
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:5336
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"2⤵
- Modifies Internet Explorer settings
PID:2736
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"1⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\is-A1Q34.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-A1Q34.tmp\butterflyondesktop.tmp" /SL5="$140374,2719719,54272,C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3740 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html3⤵PID:5540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x108,0x12c,0x7fff69d23cb8,0x7fff69d23cc8,0x7fff69d23cd84⤵PID:2008
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:6104
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:3556
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:2180
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:5400
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3948 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3980
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip.crypt"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵PID:660
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3284
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:4880
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"1⤵PID:3656
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2864
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"1⤵PID:6060
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:668
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FlashKiller.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FlashKiller.exe"1⤵PID:4724
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5536 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:976
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\$Recycle.Bin.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\$Recycle.Bin.exe", "C:\$Recycle.Bin.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\93b36425.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\93b36425.exe", "C:\93b36425.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\Documents and Settings.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\Documents and Settings.exe", "C:\Documents and Settings.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\PerfLogs.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\PerfLogs.exe", "C:\PerfLogs.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\Recovery.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\Recovery.exe", "C:\Recovery.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5304
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe", "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3204
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x64.log.html.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x64.log.html.exe", "C:\vcredist2010_x64.log.html.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe", "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x86.log.html.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x86.log.html.exe", "C:\vcredist2010_x86.log.html.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5256
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5388
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:668
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe", "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5208
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5652
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5712
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4700
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:736
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe", "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5548
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵PID:576
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵PID:5224
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵PID:3884
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵PID:6096
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- System Location Discovery: System Language Discovery
PID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- System Location Discovery: System Language Discovery
PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract F:\$RECYCLE.BIN.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite F:\$RECYCLE.BIN.exe", "F:\$RECYCLE.BIN.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Enumerates connected drives
PID:5036
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe"1⤵PID:4992
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:1352
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:2192
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:2976
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:3404
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"1⤵PID:5472
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵PID:2016
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- System Location Discovery: System Language Discovery
PID:4876
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵PID:1880
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 39602⤵
- Program crash
PID:348
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa395e055 /state1:0x41c64e6d1⤵PID:5148
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD540228458ca455d28e33951a2f3844209
SHA186165eb8eb3e99b6efa25426508a323be0e68a44
SHA2561a904494bb7a21512af6013fe65745e7898cdd6fadac8cb58be04e02346ed95f
SHA512da62cc244f9924444c7cb4fdbd46017c65e6130d639f6696f7930d867017c211df8b18601bfdaaee65438cee03977848513d7f08987b9b945f3f05241f55ec39
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
4KB
MD56ce18e7f0cf7e65ad1e8fdefcf8be1c3
SHA1260ce9bb960bba02d47e820eed7d9675ca572727
SHA2568f1b735760281e81a0d686387f85614cb875f2e4a0f996badc75f1439d571a92
SHA512cb0fc3a8ade3de6b76dab398e27c882dc823a5a8d2effddd5b89ad2b2cb9006036fd1e7f1d08e461e24d905532a98dcd767ff7670e7757b1777ab11061dee14f
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
4KB
MD58472b467c26da50fd1cfe3de9cba902f
SHA197a4b26a2fc95cd00c27eb573463c3cfcad6682c
SHA25667767a30864cdab2c550b476e2031b7ea770737159dd76a5d287f2a0d503863a
SHA51201807afeba5688aa5f6a86e6ddf79494747e28a2d17a7010ce82fc24e95cacca6685c6d8df5df4a3dbf5170f1413dd7ffe77652818bea196572e9eb37ee44cd2
-
Filesize
4KB
MD5602ddd0c457eb622800ec2b65d1a3723
SHA1e322f2927b3eb868f88f61318589cdbc9b5e4554
SHA2566491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82
SHA512eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b
-
Filesize
4KB
MD5bb4ff6746434c51de221387a31a00910
SHA143e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA5121e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1
-
Filesize
4KB
MD528d98fecf9351c6a31c9c37a738f7c15
SHA1c449dee100d5219a28019537472edc6a42a87db2
SHA25639445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0
SHA512f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971
-
Filesize
5.6MB
MD5b40fba98b831c281b324507db10b3bef
SHA1f2b8feff8db1345645d30829f86550de8270be4c
SHA256861c93eb6031f6a7ca00ae65f47e7f5ca17137bb4de8f3afcd72d7d680304462
SHA512002bd2d4b1860403cc226e605a3dbba96df3061e3bae5eb2e72f0283982eae6cbaeefa394f7ec09bd087411d02a4b9c29d029cea2ff739052ae308f6bbb22377
-
Filesize
11KB
MD56bfeed1be45470db16cf0726853c51ae
SHA1fe155ba40dbf51bbbe1532a70c90edcaccd5e6e2
SHA256b92629974dc4440f6ae62801f7b848f07aec56e4f22ca4b458e79d890b8ecf2e
SHA51225a8290f46dd0fe1feb5c0a9e59d90bd0a6b5f9df059b976ef38a39e3e2d5762e442bedd7f49bc0cfc78eb565a6b4df1e20dc6974a5fcb55fb68245c1f1c91d4
-
Filesize
152B
MD5b4ae6009e2df12ce252d03722e8f4288
SHA144de96f65d69cbae416767040f887f68f8035928
SHA2567778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d
SHA512bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1
-
Filesize
152B
MD54bf4b59c3deb1688a480f8e56aab059d
SHA1612c83e7027b3bfb0e9d2c9efad43c5318e731bb
SHA256867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82
SHA5122ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\62c07c4b-5d41-4129-b419-2dfc83761ad5.tmp
Filesize6KB
MD5cca7aaa9260e62922bf085e42fe0cc01
SHA186ff4a13a0d9ca8534ae898b83fe3695d7a4901d
SHA256a2cfc7f33e63e58a0974baa6105fa9eedf30223ddd2a82af1f7272e592da3b3d
SHA51278250aba664be31f5b010830319e2bd0679d67720af186b18105ab4684997579121bd3721cf599fd50c762986f2578d62b46ffcc090be90d45f955a37d716bac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5595a143ba21870939acb1b538777f1dc
SHA100be3333aeb19b91cd8bc5584111a177410815ee
SHA256ee9bfb679a6c4d0db98e893f5351dce7df1f81d03717b22f384c3a61574463c2
SHA512f655a78e7b29492fe7574cbea56f452d1d8ea258f7eb05f8437744a35b62df713df9006aa97f0f3c712afa6a5de51912e4489185eda4a86b8d9784784a45ec21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD59c0fb981f0d4e6d1010f99432366abf3
SHA168f295cfee46bed33046fcbae60ca5c2369191e0
SHA25605009903652a6be35694b1ce677b0ffaa5d7aeef22f7f2af7d8bd7f4199a98f3
SHA512ac849152b55e2018d2286caab016072a6a6bb1063f3b1e62214d370ef7f3354141cc1c0c50bc8c3877857bf812ba9e25774aa50549045fefaa241a40a1a2acd0
-
Filesize
2KB
MD5e44bc034781b7424deab65ab11e11375
SHA1c8a50a1f68314abec63ea4c053e29150922f32d0
SHA256de07597cca35b3f2faa6ff3c0bd86321bdcfb6935388def6e0b429ba68c3ac0a
SHA512ac05d53d94f09ccbb4aea68811410ef63b317b60344d7d4fcd557f122ea05c4421a309d840cf9cf162f9bd9ad1389b2e78753e53a95e21b648a317fa30d0f8c4
-
Filesize
1KB
MD5e24fc2c0ea7783fcf488586260e21f1e
SHA18d5fd59b7d474ffe368dfb7f3121e70052ddd4e6
SHA25696924fae9a07dc21829266648d3950799839bd3f41cbf798a29e0e189715e494
SHA512351d17e96523363f25ee3a26e7905bc38f07be9aca9732d5bdbab3c1c8f87606a4130fb99a962806a9a1a30a70af62a1c003aac4138d2b19f4bb6db6b6f7bff6
-
Filesize
5KB
MD514e9dcd7b8b182d9fc4d12b0148097c3
SHA1e4b16e67dc83f0dea599c8426abd440e63e0d084
SHA256ec29c6ae433392e4e8a910dd39f54d1a389b9dbb99ce9217b16f95b9dff308b0
SHA512c3cb855e1ab145521151b073db7e9150cf921b61e01041e16e95748330f31b428516800a40dd4499b989181684d106ae9d3bacbcba59104159e5f0b80236852a
-
Filesize
7KB
MD554a6413a0166a17da3cd6274bf33e7f8
SHA1341f192c9e3709ebb54ad2fbc3c408ffbcb10827
SHA256c8f64ffec30715790de179333fa280473f051808edf5c18d16eefa7ef97481e0
SHA512e09e56e2c5304812946a9ac5ab634b487d7914b4cbb4fd0a415e5a26add0901d311bcf1cd69c900ce30c44b372395a75e555d2b3f0d0f853fb79245f2acf4ed1
-
Filesize
6KB
MD5164fbd93b13a677e63ce111280d29269
SHA1a7f7870a95ab12844912a969f73098ff3c6f10e5
SHA256d505f9e22c36172706156894e2330d75f9cb479376a6f4dc3505117d7431d281
SHA5123277d2bd7f396886264ffb0e2cfdabfa7d15508fd7dae7268d67bcbb8c5dabfe1c50c231c5dc0691345212e01461d8d9d29026051a1867a395b2aaf3463f66bc
-
Filesize
1KB
MD5ced0e4548fd99089302a5e7c6d864fba
SHA1a83d3f7c98fae472a9c22cd9a9591c3853d7c229
SHA256a01f86b4c13a491eaa8a439aa4cdbc78dad07523eae10e3b3032ab7b2ff32250
SHA5126cb2635c477f6b5f0d54514ae9ce953ef5d3dc65f1ac4a02f93e481922146e6ea9604dfbcb04847b557ca7f4bfeac6a60ba6eb50956c4890c0f6f06287b33cd1
-
Filesize
1KB
MD55f2fdb8d631c940bec6b9bdf27ca5376
SHA16187c9a88653bf04ca50fc30b5610d189175f6d0
SHA256c4c9a05109b52422eafbea632ddf61075f766e44dc6d26e74a81c3c51c312429
SHA512dfa8dd9b6ec080a0ea0bd548de4ecee758874c2afc8caaee17bf1213abede2e3ecb260cbffb5e84abc0936b44672eb6857c27edc489ee996c94fa8bd8f6a70d3
-
Filesize
1KB
MD5c95cc60b6bdd5c31ff7e5d005c1496d3
SHA1ab9b9ee5935e66923e779c625aba2a6bb6cae600
SHA25652dabd766ef75c1908164ee012fec70c571a820debb7221d809d73df7a6e6f84
SHA5126bc9d5ebdf3f02a15e94b5065170e6e4a624ae19ef241ece175c7b401aafb34eb06a0f5d19c0a02bf24d769a4041504d34d57da10ef7a56fa70a358c3e6ed31b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD571498904bb922a299099d67659e7fbc4
SHA19539fbfc4ac5f4089a986d54241cf849adbca499
SHA2566c5fe5b0bd73c6f73432cf3b0755f56c438001785dcf288187d6915b939b0cfb
SHA5121e67d1168b59084f19362700e5abc07aedede044f045fb46af6ca8a7ad743c311fb97bfde6cefc33ad6e2954cb3a47170dac9fbe7b3a9985b92735fd48400a67
-
Filesize
11KB
MD5ced8d6133bd570d050776f5db912558d
SHA15021bea8ac4706b94bf1451deee22bc38644f723
SHA256c19b09eb1442db06d881d87a387e382e086948035144f781c0b031a0f4acc416
SHA5127252039276a24e90a66816cad3aa0ada7f3537f023ff1f7a4685a25c7a614fa9487ed56bb62a4f0e89c2c516f68910d6d1f901585d0b7b507e14887a9bd64f89
-
Filesize
64KB
MD5066f6e5acfff197d12b550ef7d452d41
SHA1aaa8cfa5a56519594490d069f31a42a15ca515a2
SHA256cac3a8354c7766b4ce0900bf4d8097bf372ec405a6af4bba63a6d92132932a30
SHA51221c3985bdc883b7c0fcdfb660a577eb03870943d9e812a24726158b6c06cc36b00425fdeafddcb099fddd1488173280563f7241c9589e69d04d1eb1b5daa786b
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD51e6c4b32205b72a32786ffcf143ffaed
SHA17a99df34d2d7d17e2e01272cd084fdae505bc8b0
SHA25684a41ba1d0f60c4097dd6921ea73781140c40c14a1872d4aa1872046203e6872
SHA51249ad851721e811be4b360819eaf55b5a1f572c536fcd86692c05533fa62e91efcf218ad60fa54ce5fc5bc476b04dae78c8ce59c22c7c1448980d430e288ab7f7
-
Filesize
27B
MD55a4ef480b1c304883bb3c8277d82bbf5
SHA12f01221a87933b2fb81fd0e42c37974b5532bd32
SHA256f1a67155054951f6eb8f675ece7545a69e901c51c562cd46e7c04e02c3193efb
SHA5127b2571dcb3449d4e1e45c3e1be4a8d5162d76a2fbd4560840346d5cdb7746b329125e6f8ef987e5a85b2ec0e6c616080550657a26f4e30e2f49ec311730603a5
-
Filesize
1KB
MD524faf9eeed5c13402bc8814af8f0ab60
SHA18f2e3bf31f385beaf239808ca7925da5432191d1
SHA256e9a1a41d38647b00418872cb6cf2a6396bbce52bd023d8a1103b5d1ecc0dc7dc
SHA51275026635ff5a3ef8f29815e9f8b0400996267c23940dfce02ef5148b51cdd4d02f32ae87fd440a796584d5579354c5ce6bf313b1eec81ef98d34a8fe99e45c50
-
Filesize
4KB
MD585da221c777bfdb5e748453183c7c992
SHA103a19282a231e7d1a8f8630eee6509a3dd9b4c2e
SHA256b7be37fd81ffe3bae65adc4bbb734651e74ac572d67718f93ce6873a63bdeee5
SHA512f3836974019bce19777aea442a97a7d7fc37a2877ab38dea76e0c70d424dbc9438b8f60916b1ad95434f61de8087b38eb34886e46b057f8acc0d0ce7bab5126a
-
Filesize
44B
MD5dbfea325d1e00a904309a682051778ad
SHA1525562934d0866f2ba90b3c25ea005c8c5f1e9fb
SHA25615a3a3303b4a77272ddb04454333a4c06aa2a113f210ba4a03314026e0821e6d
SHA512cd853c67c2b1a44c3f592ff42d207b2251e8b9bc1eb22fc12cd710329069ef75abffccd169418c4f9bd008a40f2fbbfc6904519f27fd658f316309f94b8ff59c
-
Filesize
5KB
MD57dba7ff9af2c64d2ce03eb61730841a7
SHA1cb1c0446ab98e1db69b1658806c448242986d19b
SHA25602c7fb0260ee7b42adb8fbbbb63eb90cae029d67f0296e5dbf4c9df067665851
SHA512253339dbb07d408fa836985deac1baf4a447fee7d41e49c35f4b9ae7202d45e1cc4fec4c3f3ba34f2e938c1f84915b61fdc56641e3a77b05abacf23e30addb86
-
Filesize
5KB
MD5b6a15d7a0e5a02622e4962839ef4f465
SHA10426103733afce63b79b6f40f76b370722a66ac6
SHA2560bc53378b8374d19d9f2df303e4f3a9e370d8e1e3d10a4803216fa4ad598fe51
SHA512f6296749a6730b943e48e374019753074c1ec661afe4cc05b07ee8b2ed4f75ea46ec8f4175e07d4bb457e31f19d8022b3c04d2f46b52882eb338e4eaca44558b
-
Filesize
5KB
MD5bc9422fac251934758b69f043eb8288a
SHA16edf1162f3dce624ba9b7bb2c0ed8c689570894d
SHA256098c37d94796486c5dc8221d751b75d54fc8c7b664f52803bee695088e8f348e
SHA5121415f50de45dadefabcd27d1cf76754303afae12f7025a325c86420723d720e8a9335d49826325251e208b72ceb8ed129d66ba8577db07f37b4f39d36d1424eb
-
Filesize
5KB
MD5042d541f2f91bb82384a20c24fac653f
SHA119bdd04576f5666433d23825f5722096c2eaf52d
SHA25668677cf5fc3f3b0f6488128cb7ef85ec60229162b3c74ec256e6ba10a4e2126a
SHA5126974a75369c18a89c18dddb99909e198bea38a3c30cc97f530de7473a17e2a79d3cc19ffd5bc66bbcc602681c3158ccec9ae750837fb292a478b9164939ffeca
-
Filesize
5KB
MD5a17b61ad136a724d36df3d938f812c61
SHA122ddebcc35047bdac68e58c4d7b6317838a313e0
SHA2561d2796226dfb5459575646862a18f2a79f265020f94634233af2214b002b184d
SHA5124cbfa95b842ff32b1f46dbe3579479c43e5c37295a4ac5fbac963c1b5f729857b8da2b07feace34e6b2ef078a627c60827a2349135ade53583298ce5276f3a27
-
Filesize
5KB
MD5c32dbbfc9f2f8dcbe383dc21a34bfa82
SHA1899a0349270a5f5ddea1f7fa98290e6345c065cc
SHA2563e5a2b3e1910cf667c428e22cfeab48cbc5a108f8af9d4dc129bf59797d4bf15
SHA51269c6b421994bfb082cebe98d9df844b63e4119e406cd0c16d6499f819aaccc064a09159b239249c8ef09308d9b96a2a764bcd1c134eba83b8ccf872363434b23
-
Filesize
5KB
MD58df8713641ecfa8325f0e26ba055d480
SHA1c25932607737cceb0406cfcab3898c5a83bb3ef6
SHA256e665939ddf5f86918266fbce8ea46d8179eafb3d454bc9b6ccf0d025264069eb
SHA512685f293423910d59991d7009f47d1d6376fb46955f0fa75e6dce63607b84301e002d7aba9781a7617d25e22e5dd93343c5c95d7dc9650067721651252c6e8c28
-
Filesize
369B
MD5e4a08a8771d09ebc9b6f8c2579f79e49
SHA1e9fcba487e1a511f4a3650ab5581911b5e88395d
SHA256ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6
SHA51248135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1
-
Filesize
253B
MD5c49f8f96fb17f109fbff96a347413111
SHA1861f0dc23e0bb9f784af9e9ff6f739bf0889afa6
SHA256ed0513328dbe66fe34c4d62d5f66282cb637d5271d0ec1ef172f4bdb39dcfaa1
SHA512467cc1b220053861b33a36c309ce53e5b498d441bda8e9bcd8bbe82e99b7f4ec69664f4e66fa2a56f9fa695d8e82220704d5bba7cba579a6b91e880dca2fecba
-
Filesize
369B
MD583f6067bca9ba771f1e1b22f3ad09be3
SHA1f9144948829a08e507b26084b1d1b83acef1baca
SHA256098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231
SHA512b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19
-
Filesize
253B
MD57dd055504bc8b3abcad0eff9bb2e27a0
SHA1b0564f2a56bbb0a003527f24a5ce97d652d4b36c
SHA256e507e6e51fb9ad49ad1f66e642b1ab14bd39b5d47d06266523f8030c93d5f224
SHA51224aea5ac2c63af81d699e16a2ba15e65cb75dad7439cf86bcb02a6463d59400d1f9311e5f22aa05935dd559e4cf6e6b0c10eab24a5c7a21956228c6ce78b562e
-
Filesize
373B
MD5197e7c770644a06b96c5d42ef659a965
SHA1d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc
SHA256786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552
SHA5127848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7
-
Filesize
261B
MD5f4f03729a052bdaef1381eb679ee1fbd
SHA19ccd7c55896de29bde14548d1e6e917a736806be
SHA256ff465d3b7e3e16e56d9a808505f793b77974e3720366f4556c769b4ba93930b8
SHA51218171170996193bbf0e68ce2345dd3c435f3b57c41af41888d752fbffe07e0a805d0ac0bc8ee74eef3d5a39749e21d9f36a1ba92a214585fba4935f12ed0949a
-
Filesize
355B
MD56e4e3d5b787235312c1ab5e76bb0ac1d
SHA18e2a217780d163865e3c02c7e52c10884d54acb6
SHA256aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706
SHA512b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8
-
Filesize
224B
MD5664698e544e43613e9e94299d70366b4
SHA183721f2032e72f0e31f6f28aa95e7af3b6c27463
SHA256aa8b24659b34f53e3a6fb0753df87639b2c4b68ee600536c7a11ca3147ad7e4d
SHA51211eb8a4d39e5ea9e0e2da14c97d237e2e4a824bfa289c5d3c4aa12f398dfff82afe0dbb60935c45586765e2910e1e27c01f159ac5e8e9be65b325c49cbb6e053
-
Filesize
376B
MD57a8e43324d0d14c80d818be37719450f
SHA1d138761c6b166675a769e5ebfec973435a58b0f4
SHA256733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909
SHA5127a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715
-
Filesize
267B
MD523363d7cb6559ffbcb143d954f03fdae
SHA16fbcbdbecb506b328141cfc9262701f7b4238120
SHA2564995a813247f2e66e2007e14192dbb077c388f44fd83ad54b4c4b68047dad89c
SHA512526c474f9fe9fbbbfbe61576f71b5a43915ffff4e229752bf3cf391c24ce33a2aff22fe08b94dae70ac4cd19c54c5fd2d33908cf4b4f297f317e3c4d841db573
-
Filesize
373B
MD57d0d85a69a8fba72e1185ca194515983
SHA18bd465fb970b785aa87d7edfa11dbff92c1b4af6
SHA2569f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5
SHA512e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989
-
Filesize
261B
MD5dcb28e76ec4a66eb3163cc0504aa5959
SHA1bf22eea29a4f4aa7e2c657daf7bed95268b2d750
SHA256c02355d8ecba868f4c1af7cfe80b08b819c3406325d2c588f90b05218c6d2775
SHA512b445aa517876b724fe19f8423918125cf63949e754d76d07d2e6782d47dd92cf48bac7be70caf911b1b1febae83cf3ca6f96f793b6ff5b7a9ff61a1af0941681
-
Filesize
91B
MD5de97f8c7f4f066b79ad91c4883cc6716
SHA192cc8bf74888ea1151d9fd219eb8caee02978556
SHA256a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9
SHA512cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3
-
Filesize
88B
MD5afcdb79d339b5b838d1540bf0d93bfa6
SHA14864a2453754e2516850e0431de8cade3e096e43
SHA2563628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95
SHA51238e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c
-
Filesize
5KB
MD5a1b46e574ef5ee504aa4c8d7eb9fa4ec
SHA1e1692b8b1f683d1013de60bbe7ba6728ab52d4d3
SHA256e0fd09c18c062770ed295cd7aa0612990d316126bf74c6dbe10fa18e01a50bfe
SHA512a2c8f0d211d4db0807ea62e4d0b4a9a3b77e6d10b0980fcef580409f01f48caf61be49b60ccfd379c1e4015d2ad29b5526f126a2f0071fedc3a15c4cf8ff5612
-
Filesize
5KB
MD5d56475192804e49bf9410d1a5cbd6c69
SHA1215ecb60dc9a38d5307acb8641fa0adc52fea96c
SHA256235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee
SHA51203338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51
-
Filesize
5KB
MD55615510643200f4172af237e6bb0b1e4
SHA1409df6d7f90a94655c1a5ce73cc45296f85736c2
SHA2568d084d3119610cefec688b02df011bf5473cd9e8536fc3e88f1aa58fbb497196
SHA51295f67e42fd96534ec5804e49fdcf33240c526f8f03855b19b11123db3b4d98f43c4f4f4126281cc0210b24bd868682fbf0a9428d94c7e0f1f4690045bbdc8e1c
-
Filesize
5KB
MD54a0d9970022b9e7d0066dea49c7639f4
SHA16a576f471355762c7dec0b258fa8268c06b352d4
SHA256b9fc51192ec614b38899c981eb6cfe47429047df1af56226e87da01f95089cc9
SHA51292bcbbbbade44c91abe5bc4b4633892036b19ea6b0c5007a98ddc102aa41dca5d83568a9a243060a9a5153fea77bf7a56c7612d80881341358b1dcf190d42c48
-
Filesize
5KB
MD5d0700df86922f8822ee8cf4dc28769af
SHA180c24d2ad4d0add576cc97c608644dfdf9d0444e
SHA256ff1ca342c6c1c86e58276a9c7a36e06cc300c8a566a57dc6e62831dc3d84c3ef
SHA512721eae27ddee0305b5b5a07a8c8c2cacc2e44e11f032597d74d78e8979bddc51b74e4c1f700e74baff9eec4cf064bf97e58936ab6d69541f3a609c19f4dd7b9f
-
Filesize
5KB
MD584e9754f45218a78242330abb7473ecb
SHA13794a5508df76d7f33bde4737eda47522f5c1fdd
SHA256a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835
SHA51232b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623
-
Filesize
5KB
MD5abeaa4a5b438ffa58d07d9459e5c1d6c
SHA169631de7891162dd4840112a251f6531feae7509
SHA256ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd
SHA512c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4
-
Filesize
5KB
MD5a9bb078176be4c3b368e1d31ec936f8d
SHA114b2ad83b65dcc929775fca317a4c4d5f886e77b
SHA256cce53d76047450be6bde2b02521c10f2e4ce247f373b8da98ea26aff954f8a78
SHA512cdbd736b825e3b9d0f72426c13f3cd9adff1bd1559e3978f8c6b44e12df8cbeb0da0fe1f144b47172dfc3861e8660ae9b402fbd6b3263763bf91229c3abb2337
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
5KB
MD511cb9aba8820effebbb0646c028ca832
SHA1a64d9a56ee1d2825a28ce4282dac52c30137db96
SHA2562a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8
SHA512d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375
-
Filesize
5KB
MD58e72f246b375560a0142669bfdc3508e
SHA1baac161d5ef885001dce0ab9b7c25f5a8ecbe15a
SHA25638dea18c37747d3c5a5056207aca305dd059baec7d7d0b15a18337b5d42e0658
SHA5122f0c458bcbcd04ec2ae262dce82e9e32dee0759db7fd80d3eabc37c937db3e276ffa8fed9c389855d4a648b97d31123e2e24e82b5921eda89e47fc3e74e23945
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
5KB
MD5b71e6e19814568caf1f6d365fea29136
SHA16993dc9dcb4f4fa8443b5439fd0f6448620872fd
SHA256aa099f363660fede895c28dc847748ce79a12d0ffa249e3980a54d16cdde1d82
SHA5126ca16f231751b37787535c293804173411fa9f19d0ec29e6d04e32614bb8d630c5cdd493d80e35df4f29412b606c329f3196c587189a538ec5246b2223f53911
-
Filesize
5KB
MD512709a9ce7122fd789256103eebaee0d
SHA1a4ad85d03d56f31da215284fedc0a96ca02a0c65
SHA2569753ea5ce1bef84c96a49bc4cf5d96e3b9195932d7209d3acf949b8adaa80278
SHA512a7764fb031270b6da3c4aba217221c4aca7e8acd6fa5c34217cc4650fbd35543e47a44f7c884dde076c23e66279386a0cf2e908c7cec37a1cd5237e4bee3c49f
-
Filesize
5KB
MD5b73429be6150aa96e93ef9b49fb3ab2b
SHA10630535dfb92271dbdd0180307981f8814798ca3
SHA2568ae5a47694d714b48857c9dba930a8947c7b18d48d4198e08fa50eb35e305ff8
SHA5125fc581143f53032620134852c16a3116b6817c7efc3785fbde4c4cf13fb00e0824203420b3f61f45394139f8fc585706e87305e50ca850c9c82597f3bea6dcf8
-
Filesize
5KB
MD50d43c4212c75578ea7eeb11e292cb183
SHA130b2ba3ad685b03fe365fd5a78801f039c8cd26c
SHA256c6eb948ff4f2359dce5d80890ea50516c48a6599fd522744ec0dcb5da8da7495
SHA5121adc9f10811af124048c36c9f41b48c3e777b6807aa61f148f52448d79d3eaac533fe4b9e7f887c6ab64cf99e9664113dd7fbc98353a1b57fb98db1d7f865b25
-
Filesize
5KB
MD51eec5a7f7298df1f578bd6cad1ae396b
SHA1ea9a858b3a0a6fcbe46cea93a18c99010d11ade8
SHA256c00d6f179c121a3e3193a850bcca719b03f75e1f0b92b79d179cdcd52c2a806a
SHA51208ad3c19fa7354901a3a44b777cfaacbfbff3569d087275e8583d1142cf33fc3f99402087f57ddbcf5dfd9bf3053acc082cdd64a32b29c1d246232e555dabb3f
-
Filesize
355B
MD5acd609faf5d65b35619397dc8a3bc721
SHA1ba681e91613d275de4b51317a83e19de2dbf1399
SHA2564cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518
SHA512400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c
-
Filesize
224B
MD5d9f973ac3e0a2133469114309f5d03bd
SHA12cdacaafe9e9fb4cc18bd3a3081b834a7126b522
SHA2562d9af3a38bf5421290a7ecf3b50fc02bfe608dbc06de09a9d2c925354fd1b449
SHA512e2b70a167b6349f572b4cc7597ed64b76dcccfc6de700e6be41d117d79131b870303a0ee9020b7e896d215e80ba40c1e3c9241717f74491e3ace3741eae91fd4
-
Filesize
376B
MD5688ef599a13c30230d9c00287511e084
SHA1496834103ac52660dd8554590a2f92cbda8ab759
SHA2569ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051
SHA5120f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b
-
Filesize
267B
MD5c7df8ae68b91b33af15e9bcbc64fd848
SHA1e2955d340f094144a0523585eb0bcf9df4941462
SHA256063d53725408d691a7d4a8ab8d7175e544cedb457676ec066ccc99029729bd35
SHA5121785eee665f60aa7ac40a20cbab8314acf4a92702dfb4cb92b1839eb88c466595835a04a6781d00591787d8706efca006ebb1128fe1a1d1a42ce07320b3b37aa
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier
Filesize92B
MD5c6c7806bab4e3c932bb5acb3280b793e
SHA1a2a90b8008e5b27bdc53a15dc345be1d8bd5386b
SHA2565ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a
SHA512c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20
-
Filesize
5.7MB
MD5df997a6615a46eac81cb90cc06582799
SHA138caa6a66cb25f75fc63002b83751a7e9a8cf7ec
SHA256c9e71f0330a80123fc8ad1117d1014d318ac39fc6f98015b810d72d4d1630812
SHA5125357fefa4c918920d58b2171839134f2539993c0a28105980c88cf3cd60e475e4e6c6f6b377cbb9f5d3f64484954d33a847a83ee00856d5e705de1352acef2d7