Analysis
-
max time kernel
871s -
max time network
879s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-08-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
tyler.jpg
Resource
win11-20240802-en
Errors
General
-
Target
tyler.jpg
-
Size
47KB
-
MD5
a4e8e2d3b2f54a7d91f73f25280e29f4
-
SHA1
77ecb0a6391a72b0deba66b651adc70aa9e31e97
-
SHA256
67b2c63de52b106cb5067d162d231d04d9a4c977b470014b8bd7e3142451c0c7
-
SHA512
5c100af3d55901a5aff5c53490c797b243315cd66a2c319cdbcd1b15308470fcda987222bf236ef415fdd35cd0803b9b08aac8843d2d9fcdbf1f79d4e5fadb48
-
SSDEEP
768:HDZyIdPap+jg0263KE+lP2CDvz9IT7S+uulO+M0+Kd4d9gg770gde4avcC+8JnGs:HDRdPE+kA6EO2O+z5lfV+KdA9gg7Y4a5
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
crimsonrat
185.136.161.124
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description flow ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe 91 bot.whatismyipaddress.com Process not Found Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/1672-799-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000100000002ad05-507.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Renames multiple (3280) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x000d00000002ad26-781.dat revengerat -
Disables Task Manager via registry modification
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93b36425.exe explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe -
Executes dropped EXE 64 IoCs
pid Process 5336 dlrarhsiva.exe 4680 svchost.exe 3740 butterflyondesktop.tmp 5840 ButterflyOnDesktop.exe 2592 svchost.exe 668 svchost.exe 4664 svchost.exe 3020 svchost.exe 880 svchost.exe 5960 svchost.exe 4236 svchost.exe 976 Free YouTube Downloader.exe 4340 svchost.exe 3008 taskhost.exe 2224 svchost.exe 1492 svchost.exe 1488 taskhost.exe 4056 svchost.exe 4732 svchost.exe 2052 taskhost.exe 2704 svchost.exe 2308 svchost.exe 1956 taskhost.exe 3288 svchost.exe 1952 svchost.exe 4216 taskhost.exe 3352 svchost.exe 5304 svchost.exe 1368 taskhost.exe 3204 svchost.exe 2604 svchost.exe 2884 taskhost.exe 1344 svchost.exe 1828 svchost.exe 964 taskhost.exe 2880 svchost.exe 5016 svchost.exe 4648 taskhost.exe 1928 svchost.exe 3536 svchost.exe 5256 taskhost.exe 3084 svchost.exe 5388 svchost.exe 668 taskhost.exe 2484 svchost.exe 4724 svchost.exe 1228 taskhost.exe 1932 svchost.exe 1184 svchost.exe 1068 taskhost.exe 5208 svchost.exe 5652 svchost.exe 5712 taskhost.exe 1008 svchost.exe 2776 svchost.exe 3720 taskhost.exe 1744 svchost.exe 4700 svchost.exe 3236 taskhost.exe 4980 svchost.exe 812 svchost.exe 736 taskhost.exe 5200 svchost.exe 5548 svchost.exe -
resource yara_rule behavioral1/memory/3656-9146-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/3656-9148-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2864-9152-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/6060-9155-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral1/memory/6060-9157-0x0000000000400000-0x0000000000454000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b36425 = "C:\\Users\\Admin\\AppData\\Roaming\\93b36425.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3b3642 = "C:\\93b36425\\93b36425.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3b36425 = "C:\\Users\\Admin\\AppData\\Roaming\\93b36425.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" FreeYoutubeDownloader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe" Sevgi.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe" Sevgi.a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b3642 = "C:\\93b36425\\93b36425.exe" explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 26 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Program Files\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\desktop.ini HawkEye.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\K: 000.exe File opened (read-only) \??\S: 000.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\B: 000.exe File opened (read-only) \??\Q: 000.exe File opened (read-only) \??\U: 000.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\L: 000.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\G: 000.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\J: 000.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\A: 000.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\E: 000.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\I: 000.exe File opened (read-only) \??\R: 000.exe File opened (read-only) \??\H: 000.exe File opened (read-only) \??\M: 000.exe File opened (read-only) \??\O: 000.exe File opened (read-only) \??\T: 000.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\Z: 000.exe File opened (read-only) \??\Y: 000.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\V: 000.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 147 0.tcp.ngrok.io 173 0.tcp.ngrok.io 209 0.tcp.ngrok.io 228 0.tcp.ngrok.io 247 0.tcp.ngrok.io 251 0.tcp.ngrok.io 72 0.tcp.ngrok.io 95 0.tcp.ngrok.io -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 280 ip-addr.es 55 ip-addr.es 67 ip-addr.es 91 bot.whatismyipaddress.com 136 ip-addr.es 170 ip-addr.es 206 ip-addr.es 242 ip-addr.es -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper 000.exe -
Suspicious use of SetThreadContext 20 IoCs
description pid Process procid_target PID 4788 set thread context of 4792 4788 RevengeRAT.exe 120 PID 4792 set thread context of 3888 4792 RegSvcs.exe 121 PID 4680 set thread context of 5736 4680 svchost.exe 192 PID 5736 set thread context of 5864 5736 RegSvcs.exe 193 PID 2592 set thread context of 2460 2592 svchost.exe 242 PID 2460 set thread context of 6104 2460 RegSvcs.exe 243 PID 668 set thread context of 5216 668 svchost.exe 246 PID 5216 set thread context of 3556 5216 RegSvcs.exe 247 PID 4664 set thread context of 336 4664 svchost.exe 250 PID 336 set thread context of 2180 336 RegSvcs.exe 251 PID 3020 set thread context of 5896 3020 svchost.exe 254 PID 5896 set thread context of 5400 5896 RegSvcs.exe 255 PID 880 set thread context of 3948 880 svchost.exe 258 PID 3948 set thread context of 3980 3948 RegSvcs.exe 259 PID 5960 set thread context of 4356 5960 svchost.exe 263 PID 4356 set thread context of 3284 4356 RegSvcs.exe 264 PID 4236 set thread context of 4688 4236 svchost.exe 276 PID 4688 set thread context of 668 4688 RegSvcs.exe 277 PID 2440 set thread context of 1864 2440 svchost.exe 416 PID 1864 set thread context of 3404 1864 RegSvcs.exe 417 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-125.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\keyframes.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\WeatherStoreLogo.scale-125.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-80.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-32.png HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30_altform-lightunplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Wide.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSplashScreen.scale-200.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-30_altform-lightunplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\createRef.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-60_altform-unplated_contrast-white.png HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-64_altform-lightunplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30_altform-lightunplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_SplashScreen.scale-100.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\msapp-error.html HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-40.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png HawkEye.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\SelectedItemsList.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\compat\Button.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-96_altform-unplated.png HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\index.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.scale-200_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\index.js HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-72.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_AppList.scale-200_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Overlay.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-125.png HawkEye.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe FreeYoutubeDownloader.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe FreeYoutubeDownloader.exe File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini FreeYoutubeDownloader.exe File created C:\Windows\notepad.dll.sys.exe Zika.exe File opened for modification C:\Windows\notepad.dll.sys.exe Zika.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe FreeYoutubeDownloader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 348 2808 WerFault.exe 420 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zika.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlueScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FreeYoutubeDownloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
pid Process 2256 taskkill.exe 4972 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31127767" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2596495725" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open\command\ = "\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Open \"%L\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\䆟縀䆁\ = "crypt_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\ = "&Play" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon 000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile 000.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\.crypt\ = "crypt_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\䆟縀䆁 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9991" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" 000.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{AD14DE55-C5EC-4C2B-A333-F43E6E122137} 000.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{B9717A99-8D56-4C55-A543-9B7F99E3BC8A} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\command\ = "\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Play \"%L\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\ = "Play" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\.crypt OpenWith.exe -
NTFS ADS 23 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe File created C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\Recovery.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2010_x64.log.html.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\$Recycle.Bin.exe\:Zone.Identifier:$DATA Zika.exe File created C:\93b36425.exe\:Zone.Identifier:$DATA Zika.exe File created C:\Documents and Settings.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\svchost\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\PerfLogs.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2010_x86.log.html.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA Zika.exe File created C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe\:Zone.Identifier:$DATA Zika.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1520 msedge.exe 1520 msedge.exe 4232 msedge.exe 4232 msedge.exe 240 msedge.exe 240 msedge.exe 5888 msedge.exe 5888 msedge.exe 872 identity_helper.exe 872 identity_helper.exe 584 msedge.exe 584 msedge.exe 584 msedge.exe 584 msedge.exe 5836 msedge.exe 5836 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1520 OpenWith.exe 1352 Sevgi.a.exe 2976 Sevgi.a.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1092 CryptoWall.exe 852 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4788 RevengeRAT.exe Token: SeDebugPrivilege 4792 RegSvcs.exe Token: SeDebugPrivilege 4680 svchost.exe Token: SeDebugPrivilege 5736 RegSvcs.exe Token: SeDebugPrivilege 1672 HawkEye.exe Token: SeDebugPrivilege 2592 svchost.exe Token: SeDebugPrivilege 2460 RegSvcs.exe Token: SeDebugPrivilege 668 svchost.exe Token: SeDebugPrivilege 5216 RegSvcs.exe Token: SeDebugPrivilege 4664 svchost.exe Token: SeDebugPrivilege 336 RegSvcs.exe Token: SeDebugPrivilege 3020 svchost.exe Token: SeDebugPrivilege 5896 RegSvcs.exe Token: SeDebugPrivilege 880 svchost.exe Token: SeDebugPrivilege 3948 RegSvcs.exe Token: SeDebugPrivilege 5960 svchost.exe Token: SeDebugPrivilege 4356 RegSvcs.exe Token: SeShutdownPrivilege 884 wmplayer.exe Token: SeCreatePagefilePrivilege 884 wmplayer.exe Token: SeShutdownPrivilege 2028 unregmp2.exe Token: SeCreatePagefilePrivilege 2028 unregmp2.exe Token: SeDebugPrivilege 4236 svchost.exe Token: SeDebugPrivilege 4688 RegSvcs.exe Token: SeDebugPrivilege 4472 Zika.exe Token: SeDebugPrivilege 2440 svchost.exe Token: SeDebugPrivilege 1864 RegSvcs.exe Token: SeShutdownPrivilege 2808 000.exe Token: SeCreatePagefilePrivilege 2808 000.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeShutdownPrivilege 2808 000.exe Token: SeCreatePagefilePrivilege 2808 000.exe Token: SeShutdownPrivilege 2808 000.exe Token: SeCreatePagefilePrivilege 2808 000.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeIncreaseQuotaPrivilege 3916 WMIC.exe Token: SeSecurityPrivilege 3916 WMIC.exe Token: SeTakeOwnershipPrivilege 3916 WMIC.exe Token: SeLoadDriverPrivilege 3916 WMIC.exe Token: SeSystemProfilePrivilege 3916 WMIC.exe Token: SeSystemtimePrivilege 3916 WMIC.exe Token: SeProfSingleProcessPrivilege 3916 WMIC.exe Token: SeIncBasePriorityPrivilege 3916 WMIC.exe Token: SeCreatePagefilePrivilege 3916 WMIC.exe Token: SeBackupPrivilege 3916 WMIC.exe Token: SeRestorePrivilege 3916 WMIC.exe Token: SeShutdownPrivilege 3916 WMIC.exe Token: SeDebugPrivilege 3916 WMIC.exe Token: SeSystemEnvironmentPrivilege 3916 WMIC.exe Token: SeRemoteShutdownPrivilege 3916 WMIC.exe Token: SeUndockPrivilege 3916 WMIC.exe Token: SeManageVolumePrivilege 3916 WMIC.exe Token: 33 3916 WMIC.exe Token: 34 3916 WMIC.exe Token: 35 3916 WMIC.exe Token: 36 3916 WMIC.exe Token: SeIncreaseQuotaPrivilege 3916 WMIC.exe Token: SeSecurityPrivilege 3916 WMIC.exe Token: SeTakeOwnershipPrivilege 3916 WMIC.exe Token: SeLoadDriverPrivilege 3916 WMIC.exe Token: SeSystemProfilePrivilege 3916 WMIC.exe Token: SeSystemtimePrivilege 3916 WMIC.exe Token: SeProfSingleProcessPrivilege 3916 WMIC.exe Token: SeIncBasePriorityPrivilege 3916 WMIC.exe Token: SeCreatePagefilePrivilege 3916 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 4232 msedge.exe 5840 ButterflyOnDesktop.exe 976 Free YouTube Downloader.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 1520 OpenWith.exe 5536 FreeYoutubeDownloader.exe 4340 svchost.exe 3008 taskhost.exe 2224 svchost.exe 1492 svchost.exe 1488 taskhost.exe 4056 svchost.exe 4732 svchost.exe 2052 taskhost.exe 2704 svchost.exe 2308 svchost.exe 1956 taskhost.exe 3288 svchost.exe 1952 svchost.exe 4216 taskhost.exe 3352 svchost.exe 5304 svchost.exe 1368 taskhost.exe 3204 svchost.exe 2604 svchost.exe 2884 taskhost.exe 1344 svchost.exe 1828 svchost.exe 964 taskhost.exe 2880 svchost.exe 5016 svchost.exe 4648 taskhost.exe 1928 svchost.exe 3536 svchost.exe 5256 taskhost.exe 3084 svchost.exe 5388 svchost.exe 668 taskhost.exe 2484 svchost.exe 4724 svchost.exe 1228 taskhost.exe 1932 svchost.exe 1184 svchost.exe 1068 taskhost.exe 5208 svchost.exe 5652 svchost.exe 5712 taskhost.exe 1008 svchost.exe 2776 svchost.exe 3720 taskhost.exe 1744 svchost.exe 4700 svchost.exe 3236 taskhost.exe 4980 svchost.exe 812 svchost.exe 736 taskhost.exe 5200 svchost.exe 5548 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4232 wrote to memory of 504 4232 msedge.exe 86 PID 4232 wrote to memory of 504 4232 msedge.exe 86 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 4464 4232 msedge.exe 87 PID 4232 wrote to memory of 1520 4232 msedge.exe 88 PID 4232 wrote to memory of 1520 4232 msedge.exe 88 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89 PID 4232 wrote to memory of 2260 4232 msedge.exe 89
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tyler.jpg1⤵PID:4856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Chimera
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff69d23cb8,0x7fff69d23cc8,0x7fff69d23cd82⤵PID:504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:22⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:12⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:82⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1312 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:5896
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1608
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5580
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1504
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"1⤵
- Suspicious behavior: MapViewOfSection
PID:1092 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:852 -
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵PID:5992
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4792 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:3888
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0dgwxne.cmdline"3⤵PID:2576
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51501822919D442D895662A8F98A3272.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5880
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhlsktv4.cmdline"3⤵PID:676
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74173E1DD634135AE5DBE1C3ADDCE7.TMP"4⤵PID:3000
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ar5qqvyc.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2A6411982CA4FE4AFE1CE79FD3CFFF4.TMP"4⤵PID:336
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qnrzjkrx.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A63AE6EC6FD4E57B161D5D628D71654.TMP"4⤵PID:5116
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gjvwqly5.cmdline"3⤵PID:1536
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49A19A9BC5B84D528EFE66F7F1F6AAB6.TMP"4⤵PID:5756
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ti7slir-.cmdline"3⤵PID:1672
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF13AEA1EAA9D40D2A159D8B8D1868CA2.TMP"4⤵PID:4880
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\txlz_2d_.cmdline"3⤵PID:1060
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D97374361B34D80A4E13F470452DE4.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5556
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xu3-gubl.cmdline"3⤵PID:6088
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC820091FAA43FFAD8743E0012FBF9.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1180
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkbq_nig.cmdline"3⤵PID:3204
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BB463AAA3344EDE8B2ECCD32CAA67BC.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vxmzpsgw.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE055.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCABC9649EF974364B4CD53D68F8FF9C2.TMP"4⤵PID:3320
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fxynonoi.cmdline"3⤵PID:3592
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1127028429364F9A8CC4428EBA696F82.TMP"4⤵PID:4996
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ot3btmh6.cmdline"3⤵PID:920
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE140.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FA719A995174E7B8EA08555EB2F6B28.TMP"4⤵PID:2136
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kexetxfq.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE19D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1FFAEC6CFFF42F6A59D184C80262BAD.TMP"4⤵PID:2336
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5glsbtx3.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE20B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C5EA827E40D4889A0D88B71EE49874.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4648
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\96c9vdyv.cmdline"3⤵PID:3424
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE288.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc800CE4A5B0704FCCBB304D38F9DD8810.TMP"4⤵PID:1012
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgupcxjy.cmdline"3⤵PID:5520
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE305.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC328533C11894A79AFFF53E1C68EDD9.TMP"4⤵PID:5608
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7o9mqxkz.cmdline"3⤵PID:5772
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE391.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A2FD9EE12440D3895D566E1A80A95.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4744
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xlwc0ipe.cmdline"3⤵
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20E88E9E77C4AE8B648553C674A4FB0.TMP"4⤵PID:3908
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_sf2_ne.cmdline"3⤵PID:1800
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE45C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBEAEF08BE0304EED8B6AC56D258A92F.TMP"4⤵PID:668
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_ib6jf6m.cmdline"3⤵PID:4664
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB36D8D90D70C45EDB8715BE1AE562A93.TMP"4⤵PID:3000
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cszqclbx.cmdline"3⤵PID:1064
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE537.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5508BE1CADFE4CBA97706582EDF1C679.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:5628
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omgyehiq.cmdline"3⤵PID:4944
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE138846F2854C3687A575B247F69A73.TMP"4⤵PID:5576
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
PID:5864
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:1820
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6nkfbd0m.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA808FC774EE45AD997452FBCD412D2A.TMP"6⤵PID:3228
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dr6pgtmu.cmdline"5⤵PID:1848
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D1C4B5ACF21418CAE3D51CB599EC5D.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:4224
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wi5ex7ct.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD92F7377E0904C64B43115F6FFC0EE39.TMP"6⤵PID:2032
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ua3fzduw.cmdline"5⤵PID:6032
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2F062FEA2B64E3EA9A313A4C0C3C033.TMP"6⤵PID:1208
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nfpdlzo-.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD439EB3BD81A46F2A31CA75D26E8FD49.TMP"6⤵PID:5352
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uljf0nws.cmdline"5⤵PID:3020
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA30B396DA6942C3B2C4E770A97297D3.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:5628
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owriua1a.cmdline"5⤵PID:5968
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA00B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC49640E45CB54AB697CCBE9FF43AF6C3.TMP"6⤵PID:5792
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1th_zprm.cmdline"5⤵PID:2544
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA069.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA29DF7C13EA41CA9666F8CEDB781B50.TMP"6⤵PID:4484
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ijptltre.cmdline"5⤵PID:2880
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC2B20AB8066449B86A3EECA8AEFFE64.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:1840
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g5bqf-pt.cmdline"5⤵PID:1636
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA134.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A5BA1F870A04C5EA2CA1B4B1E245EED.TMP"6⤵PID:4328
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yaasgmt-.cmdline"5⤵PID:804
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc210D8471DF4A41BAEBCBB1CCE7B429.TMP"6⤵PID:2084
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvgbtpya.cmdline"5⤵PID:5212
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5535.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F8045616034402A8823CFB03BACB26.TMP"6⤵PID:4460
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhqoipso.cmdline"5⤵PID:4616
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y0ayfywh.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC68ADA7CDEA74C9090ACE6776B2A3C.TMP"6⤵PID:996
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhca86hz.cmdline"5⤵PID:5272
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES565E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2C688F4E9C84BF7995AF0BDCE148FB8.TMP"6⤵PID:4032
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gxldnbhz.cmdline"5⤵PID:496
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6443FC0AFC94566804F581BE8DD26D6.TMP"6⤵PID:6008
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmq3of2v.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5748.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc327C098ACC3A40B983FD1CA28E1F4A39.TMP"6⤵PID:5280
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\otstmiai.cmdline"5⤵PID:5536
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc835F74479B854BFC9A35BE4C2F3E683.TMP"6⤵PID:4064
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hsnbtmtj.cmdline"5⤵PID:3380
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5833.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E5CD5ED65A4943B7E6851D283A889B.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:5116
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qja4a2nk.cmdline"5⤵PID:2792
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F89AFEABAA24D5592C93F246E9F8C1.TMP"6⤵PID:692
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xqazpibx.cmdline"5⤵PID:5404
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES590D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3502CD1D99C74BD68EE164C8EA72FEB.TMP"6⤵PID:5448
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vki49rqs.cmdline"5⤵PID:2512
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES598A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A0FC5D8A684FE6A4988A72A48B103A.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:584
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmxoyeaz.cmdline"5⤵PID:2352
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6CE288F9AB648B9BE5992E0D18AA83B.TMP"6⤵PID:1124
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_b4ymzd.cmdline"5⤵PID:2164
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47B09020A4CC412A82741A36D4C854C8.TMP"6⤵PID:2988
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u2xflg30.cmdline"5⤵PID:5176
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE10CBD702D3D45A4ADB74490163FF99D.TMP"6⤵PID:1424
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksozbmit.cmdline"5⤵PID:5004
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD955F8AB72442DAB062272E491E490.TMP"6⤵PID:1208
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihuk6w6b.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:4396 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F92ACB9661342DC9BD569C342CA3D4.TMP"6⤵PID:5748
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytnmcq2a.cmdline"5⤵PID:1944
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDC29DBE83B747DD9FB2336AA41D5D8.TMP"6⤵PID:5588
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jlib7jpt.cmdline"5⤵PID:3204
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0F4202B44F2471F814D89E36844C7E8.TMP"6⤵PID:2604
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzmtgdc_.cmdline"5⤵PID:2324
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E88F241662A4D23ABDD119CE18D3D8F.TMP"6⤵
- System Location Discovery: System Language Discovery
PID:3244
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t0hjq9j0.cmdline"5⤵
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF941386EC024A97A65553391857A67.TMP"6⤵PID:2392
-
-
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵PID:3560
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:5336
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"2⤵
- Modifies Internet Explorer settings
PID:2736
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"1⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\is-A1Q34.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-A1Q34.tmp\butterflyondesktop.tmp" /SL5="$140374,2719719,54272,C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3740 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html3⤵PID:5540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x108,0x12c,0x7fff69d23cb8,0x7fff69d23cc8,0x7fff69d23cd84⤵PID:2008
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:6104
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:3556
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:2180
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:5400
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3948 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3980
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip.crypt"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵PID:660
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3284
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:4880
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"1⤵PID:3656
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2864
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"1⤵PID:6060
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:668
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FlashKiller.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FlashKiller.exe"1⤵PID:4724
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5536 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:976
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\$Recycle.Bin.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\$Recycle.Bin.exe", "C:\$Recycle.Bin.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\93b36425.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\93b36425.exe", "C:\93b36425.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\Documents and Settings.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\Documents and Settings.exe", "C:\Documents and Settings.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\PerfLogs.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\PerfLogs.exe", "C:\PerfLogs.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\Recovery.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\Recovery.exe", "C:\Recovery.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5304
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe", "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3204
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x64.log.html.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x64.log.html.exe", "C:\vcredist2010_x64.log.html.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe", "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x86.log.html.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x86.log.html.exe", "C:\vcredist2010_x86.log.html.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5256
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5388
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:668
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe", "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5208
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5652
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5712
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4700
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:736
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe", "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5548
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵PID:576
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵PID:5224
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵PID:3884
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵PID:6096
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵
- System Location Discovery: System Language Discovery
PID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- System Location Discovery: System Language Discovery
PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract F:\$RECYCLE.BIN.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res2⤵PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe"C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite F:\$RECYCLE.BIN.exe", "F:\$RECYCLE.BIN.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,2⤵
- Enumerates connected drives
PID:5036
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe"1⤵PID:4992
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:1352
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:2192