Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-x6l1aaveqc
Target death.exe
SHA256 85193644036aadb03b1573f25145fa89f13ee5b2399133a9424adb7609163b56
Tags
bootkit discovery evasion persistence ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85193644036aadb03b1573f25145fa89f13ee5b2399133a9424adb7609163b56

Threat Level: Known bad

The file death.exe was found to be: Known bad.

Malicious Activity Summary

bootkit discovery evasion persistence ransomware upx

Modifies security service

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Event Triggered Execution: Image File Execution Options Injection

Disables use of System Restore points

Executes dropped EXE

Modifies system executable filetype association

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Sets desktop wallpaper using registry

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Scheduled Task/Job: Scheduled Task

System policy modification

Suspicious use of WriteProcessMemory

Enumerates system info in registry

NTFS ADS

Modifies Control Panel

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:28

Reported

2024-10-05 19:30

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\death.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\death.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\death.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\nt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\mbr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\mbr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\mbr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" C:\Users\Admin\AppData\Local\Temp\death.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\death.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 3612 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 3612 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 1408 wrote to memory of 2584 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1408 wrote to memory of 2584 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1408 wrote to memory of 2584 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3612 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 3612 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 3612 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 3112 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 3112 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 3112 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 4960 wrote to memory of 2900 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4960 wrote to memory of 2900 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4960 wrote to memory of 2900 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3112 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 3112 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 3112 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 424 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 424 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 424 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 1248 wrote to memory of 552 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1248 wrote to memory of 552 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1248 wrote to memory of 552 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 424 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 424 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 424 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 3284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 3284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 3284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 1592 wrote to memory of 4412 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1592 wrote to memory of 4412 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1592 wrote to memory of 4412 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 3284 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 3284 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 4520 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 4520 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 4520 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 1688 wrote to memory of 3776 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1688 wrote to memory of 3776 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1688 wrote to memory of 3776 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4520 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 4520 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 4520 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 4296 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 4296 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 4296 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\mbr.exe
PID 232 wrote to memory of 3964 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 232 wrote to memory of 3964 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 232 wrote to memory of 3964 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4296 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 4296 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe
PID 4296 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\nt.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\death.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\death.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\death.exe

"C:\Users\Admin\AppData\Local\Temp\death.exe"

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\death.exe

C:\Users\Admin\AppData\Local\Temp\death.exe explorer.exe

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\death.exe

C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\death.exe

C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\death.exe

C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\death.exe

C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\death.exe

C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3612-0-0x0000000000400000-0x0000000000697000-memory.dmp

memory/3612-1-0x0000000010000000-0x0000000010015000-memory.dmp

C:\Windows\mbr.exe

MD5 e134054e9b86ca5fd7f6102874fa2b1b
SHA1 8c31adb4c04754463dfa72f9fda21c86584b68d6
SHA256 ac6b7a459ab2ae4b618ffb392746ef5ecafcc2d74ad0538698d598ddeb6229c4
SHA512 cfc63ef3c57a912b02d1bbdbcaae0dfc917e0ceb30e91868313769fb1be1722d68cd9afc84f399df149c01193a984c1a09d360aaa78d8b9d3fac780ae5b28845

memory/1408-6-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1408-9-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\nt.exe

MD5 462fcc409a04c19841d97845878a2103
SHA1 ea46e199131e6275cc9636d624c1edad25b16303
SHA256 985e9ffaed5dfcfd00b33e5c2af3cb7284475172f8b7bfbd4393a94a31fcb96b
SHA512 d222770d23c20865f9929284687967a6ad9cbc4b92de8d7ee053dc432e808ba7d9e50669184076407a4e0f6a4269a2bee3fad6cab3126c3744977d3e52fc3a0f

memory/2108-13-0x00000000001D0000-0x00000000001EA000-memory.dmp

memory/2108-16-0x00000000001D0000-0x00000000001EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\death.exe

MD5 a39281364d707dd0921b0a36f4a25a4c
SHA1 9e4bc8604667e6295900cc8c2813032206435c6f
SHA256 85193644036aadb03b1573f25145fa89f13ee5b2399133a9424adb7609163b56
SHA512 ee85be6af2692823391c66e957ccb1d187b1e20e94ee3662660a98dbdc1c48ac29dfa6890f80664850622994e8eaf14858e3cb31124b069990cd4fdfa22626dd

memory/3112-18-0x0000000000400000-0x0000000000697000-memory.dmp

C:\Windows\666.bmp

MD5 95b1a43e40e5080a626372c916bc04aa
SHA1 b969b8cc0580abe72547e4b70e6f25f24494fa46
SHA256 432b44507d1665f903a65d3b04ef0e0c45ce9c03d1bf6b46d556e01c06138aa2
SHA512 93c91951fa4f5554d40871519903435ec50c415c8ae6e808c30f5ad09912d51659680ba500d2abba1de05bd646616cf57305f3f54f64a0dcd64a14348f5f23ea

memory/4960-25-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1456-29-0x0000000000CB0000-0x0000000000CCA000-memory.dmp

memory/1248-39-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4652-44-0x0000000000810000-0x000000000082A000-memory.dmp

memory/424-46-0x0000000000400000-0x0000000000697000-memory.dmp

memory/1592-55-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1200-60-0x0000000000300000-0x000000000031A000-memory.dmp

memory/3284-63-0x0000000000400000-0x0000000000697000-memory.dmp

memory/4520-65-0x0000000000400000-0x0000000000697000-memory.dmp

memory/3612-64-0x0000000000400000-0x0000000000697000-memory.dmp

memory/1688-75-0x0000000000400000-0x000000000043F000-memory.dmp

memory/540-78-0x0000000000AD0000-0x0000000000AEA000-memory.dmp

memory/3112-80-0x0000000000400000-0x0000000000697000-memory.dmp

memory/4520-82-0x0000000000400000-0x0000000000697000-memory.dmp

memory/232-90-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2684-95-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

memory/2684-97-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

memory/4296-98-0x0000000000400000-0x0000000000697000-memory.dmp

memory/4404-100-0x0000000000400000-0x0000000000697000-memory.dmp