Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-x9vrlazgkk
Target project1.exe
SHA256 a29451e1b94ab7a4a4de84be214d39d3c6ff3343dc5df041e627d1071b70201c
Tags
bootkit discovery evasion persistence ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a29451e1b94ab7a4a4de84be214d39d3c6ff3343dc5df041e627d1071b70201c

Threat Level: Known bad

The file project1.exe was found to be: Known bad.

Malicious Activity Summary

bootkit discovery evasion persistence ransomware upx

Modifies security service

Modifies WinLogon for persistence

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Event Triggered Execution: Image File Execution Options Injection

Disables use of System Restore points

Executes dropped EXE

Modifies system executable filetype association

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Sets desktop wallpaper using registry

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

Checks SCSI registry key(s)

NTFS ADS

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:33

Reported

2024-10-05 19:36

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\project1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\nt.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\666.bmp C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\nt.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File created C:\Windows\mbr.exe C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mbr.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" C:\Windows\mbr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\mbr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\mbr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\mbr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\mbr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\project1.exe" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
File opened for modification C:\.C: C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 3244 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 3244 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 4008 wrote to memory of 1712 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4008 wrote to memory of 1712 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4008 wrote to memory of 1712 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 1156 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 1156 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 3904 wrote to memory of 2668 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 2668 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 2668 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 1156 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 1156 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 3244 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 3244 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 3244 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 2124 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 2124 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 2124 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 1172 wrote to memory of 4948 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 4948 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 4948 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 2124 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 2124 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 4776 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 4776 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 4776 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 372 wrote to memory of 3600 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 372 wrote to memory of 3600 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 372 wrote to memory of 3600 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4776 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 4776 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 4776 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 2916 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 2916 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 2916 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 3684 wrote to memory of 5116 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3684 wrote to memory of 5116 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3684 wrote to memory of 5116 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 2916 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 2916 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 3448 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 3448 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 3448 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 4028 wrote to memory of 4276 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 4276 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4028 wrote to memory of 4276 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3448 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 3448 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 3448 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 4660 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 4660 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 4660 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe
PID 4484 wrote to memory of 1712 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4484 wrote to memory of 1712 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4484 wrote to memory of 1712 N/A C:\Windows\mbr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4660 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 4660 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 4660 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\nt.exe
PID 1512 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\mbr.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\project1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\project1.exe

"C:\Users\Admin\AppData\Local\Temp\project1.exe"

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Users\Admin\AppData\Local\Temp\project1.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe explorer.exe

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\mbr.exe

"C:\Windows\mbr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"

C:\Windows\nt.exe

C:\Windows\nt.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe

C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Windows\mbr.exe

MD5 e134054e9b86ca5fd7f6102874fa2b1b
SHA1 8c31adb4c04754463dfa72f9fda21c86584b68d6
SHA256 ac6b7a459ab2ae4b618ffb392746ef5ecafcc2d74ad0538698d598ddeb6229c4
SHA512 cfc63ef3c57a912b02d1bbdbcaae0dfc917e0ceb30e91868313769fb1be1722d68cd9afc84f399df149c01193a984c1a09d360aaa78d8b9d3fac780ae5b28845

memory/4008-4-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4008-7-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\666.bmp

MD5 95b1a43e40e5080a626372c916bc04aa
SHA1 b969b8cc0580abe72547e4b70e6f25f24494fa46
SHA256 432b44507d1665f903a65d3b04ef0e0c45ce9c03d1bf6b46d556e01c06138aa2
SHA512 93c91951fa4f5554d40871519903435ec50c415c8ae6e808c30f5ad09912d51659680ba500d2abba1de05bd646616cf57305f3f54f64a0dcd64a14348f5f23ea

memory/3904-14-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\nt.exe

MD5 462fcc409a04c19841d97845878a2103
SHA1 ea46e199131e6275cc9636d624c1edad25b16303
SHA256 985e9ffaed5dfcfd00b33e5c2af3cb7284475172f8b7bfbd4393a94a31fcb96b
SHA512 d222770d23c20865f9929284687967a6ad9cbc4b92de8d7ee053dc432e808ba7d9e50669184076407a4e0f6a4269a2bee3fad6cab3126c3744977d3e52fc3a0f

memory/4864-21-0x00000000006A0000-0x00000000006BA000-memory.dmp

memory/4864-18-0x00000000006A0000-0x00000000006BA000-memory.dmp

memory/4764-25-0x00000000003F0000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\project1.exe

MD5 f3346cec01e6868ec4f593e7169dec18
SHA1 6edc85958c45aa4d27bfa604b507fd032656dfd7
SHA256 a29451e1b94ab7a4a4de84be214d39d3c6ff3343dc5df041e627d1071b70201c
SHA512 a4bef1622a434c19329e9d8a26b93687bb5b5658d97d071817efed856c6156e997970dea29cac81b5d45c48d350b6546ca56c2290b919187cb9094e8632e366f

memory/1172-34-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1176-41-0x0000000000D50000-0x0000000000D6A000-memory.dmp

memory/1172-36-0x0000000000400000-0x000000000043F000-memory.dmp

memory/372-51-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3784-56-0x0000000000030000-0x000000000004A000-memory.dmp

memory/3684-66-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4588-71-0x0000000000DF0000-0x0000000000E0A000-memory.dmp

memory/4028-80-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1040-85-0x0000000000250000-0x000000000026A000-memory.dmp

memory/1040-87-0x0000000000250000-0x000000000026A000-memory.dmp

memory/4484-95-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2240-100-0x00000000004E0000-0x00000000004FA000-memory.dmp

memory/2240-102-0x00000000004E0000-0x00000000004FA000-memory.dmp

memory/2260-111-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3668-116-0x0000000000530000-0x000000000054A000-memory.dmp

memory/3668-118-0x0000000000530000-0x000000000054A000-memory.dmp