Analysis Overview
SHA256
a29451e1b94ab7a4a4de84be214d39d3c6ff3343dc5df041e627d1071b70201c
Threat Level: Known bad
The file project1.exe was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Modifies WinLogon for persistence
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Event Triggered Execution: Image File Execution Options Injection
Disables use of System Restore points
Executes dropped EXE
Modifies system executable filetype association
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Sets desktop wallpaper using registry
UPX packed file
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
Checks SCSI registry key(s)
NTFS ADS
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-05 19:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 19:33
Reported
2024-10-05 19:36
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\mbr.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\mbr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\mbr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\mbr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\project1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\project1.exe
"C:\Users\Admin\AppData\Local\Temp\project1.exe"
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Users\Admin\AppData\Local\Temp\project1.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe explorer.exe
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe
C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Windows\mbr.exe
| MD5 | e134054e9b86ca5fd7f6102874fa2b1b |
| SHA1 | 8c31adb4c04754463dfa72f9fda21c86584b68d6 |
| SHA256 | ac6b7a459ab2ae4b618ffb392746ef5ecafcc2d74ad0538698d598ddeb6229c4 |
| SHA512 | cfc63ef3c57a912b02d1bbdbcaae0dfc917e0ceb30e91868313769fb1be1722d68cd9afc84f399df149c01193a984c1a09d360aaa78d8b9d3fac780ae5b28845 |
memory/4008-4-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4008-7-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\666.bmp
| MD5 | 95b1a43e40e5080a626372c916bc04aa |
| SHA1 | b969b8cc0580abe72547e4b70e6f25f24494fa46 |
| SHA256 | 432b44507d1665f903a65d3b04ef0e0c45ce9c03d1bf6b46d556e01c06138aa2 |
| SHA512 | 93c91951fa4f5554d40871519903435ec50c415c8ae6e808c30f5ad09912d51659680ba500d2abba1de05bd646616cf57305f3f54f64a0dcd64a14348f5f23ea |
memory/3904-14-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\nt.exe
| MD5 | 462fcc409a04c19841d97845878a2103 |
| SHA1 | ea46e199131e6275cc9636d624c1edad25b16303 |
| SHA256 | 985e9ffaed5dfcfd00b33e5c2af3cb7284475172f8b7bfbd4393a94a31fcb96b |
| SHA512 | d222770d23c20865f9929284687967a6ad9cbc4b92de8d7ee053dc432e808ba7d9e50669184076407a4e0f6a4269a2bee3fad6cab3126c3744977d3e52fc3a0f |
memory/4864-21-0x00000000006A0000-0x00000000006BA000-memory.dmp
memory/4864-18-0x00000000006A0000-0x00000000006BA000-memory.dmp
memory/4764-25-0x00000000003F0000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\project1.exe
| MD5 | f3346cec01e6868ec4f593e7169dec18 |
| SHA1 | 6edc85958c45aa4d27bfa604b507fd032656dfd7 |
| SHA256 | a29451e1b94ab7a4a4de84be214d39d3c6ff3343dc5df041e627d1071b70201c |
| SHA512 | a4bef1622a434c19329e9d8a26b93687bb5b5658d97d071817efed856c6156e997970dea29cac81b5d45c48d350b6546ca56c2290b919187cb9094e8632e366f |
memory/1172-34-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1176-41-0x0000000000D50000-0x0000000000D6A000-memory.dmp
memory/1172-36-0x0000000000400000-0x000000000043F000-memory.dmp
memory/372-51-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3784-56-0x0000000000030000-0x000000000004A000-memory.dmp
memory/3684-66-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4588-71-0x0000000000DF0000-0x0000000000E0A000-memory.dmp
memory/4028-80-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1040-85-0x0000000000250000-0x000000000026A000-memory.dmp
memory/1040-87-0x0000000000250000-0x000000000026A000-memory.dmp
memory/4484-95-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2240-100-0x00000000004E0000-0x00000000004FA000-memory.dmp
memory/2240-102-0x00000000004E0000-0x00000000004FA000-memory.dmp
memory/2260-111-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3668-116-0x0000000000530000-0x000000000054A000-memory.dmp
memory/3668-118-0x0000000000530000-0x000000000054A000-memory.dmp