floxif | a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc

Analysis

max time kernel
12s
max time network
13s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 11:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
Size

4.3MB
MD5

88803d738899f52422d43240053ba7e0
SHA1

fc02fc3bffd0712ad724e92ee8d9afe6f3efafc4
SHA256

a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc
SHA512

4580e57143df815867f3c4c8fb8ce9365e87513e3409b760710a5375c410c9d93f6e97a7baf6767c84eb3e4e564e84d906bae375e75c228b63cd8014d83a16f0
SSDEEP

98304:sygXkXYxIaRtFHHvSSSL+eHhXXinaWsEHGmStJyJR6Kg2BflXHxro:YOnaTFv/eHKaWsEHXSyJR3g2BpHxro

Score

10^/10

floxif adware backdoor defense_evasion discovery exploit persistence privilege_escalation stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000c00000001226a-177.dat	floxif

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.42.34"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	flash.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	flash.exe

Possible privilege escalation attempt 30 IoCs

exploit

pid	Process
1516	icacls.exe
2264	icacls.exe
1740	takeown.exe
3068	icacls.exe
2564	icacls.exe
1960	takeown.exe
1088	takeown.exe
2624	takeown.exe
2064	takeown.exe
2468	icacls.exe
2712	takeown.exe
3008	icacls.exe
2648	takeown.exe
2864	takeown.exe
888	icacls.exe
3024	takeown.exe
2824	takeown.exe
2140	takeown.exe
1416	takeown.exe
2932	takeown.exe
2160	takeown.exe
1772	takeown.exe
2720	icacls.exe
1636	icacls.exe
2816	takeown.exe
3020	takeown.exe
2508	takeown.exe
2724	takeown.exe
2980	takeown.exe
1764	takeown.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c00000001226a-177.dat	acprotect

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
1696	wrar391.exe
2512	uninstall.exe
1640	flash.exe
2652	GD.exe
2444	GD.exe
2472	GD.exe

Loads dropped DLL 23 IoCs

pid	Process
2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
1372	cmd.exe
2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
1696	wrar391.exe
2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
1372	cmd.exe
2512	uninstall.exe
2512	uninstall.exe
1640	flash.exe
1640	flash.exe
1640	flash.exe
1640	flash.exe
1640	flash.exe
1640	flash.exe
1640	flash.exe
1640	flash.exe
1640	flash.exe
1372	cmd.exe
1372	cmd.exe
1372	cmd.exe
1372	cmd.exe
1372	cmd.exe
1372	cmd.exe

Modifies file permissions 1 TTPs 30 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3008	icacls.exe
1764	takeown.exe
2648	takeown.exe
2508	takeown.exe
2712	takeown.exe
1088	takeown.exe
1416	takeown.exe
2564	icacls.exe
2064	takeown.exe
1772	takeown.exe
3068	icacls.exe
1636	icacls.exe
1516	icacls.exe
2140	takeown.exe
2720	icacls.exe
2624	takeown.exe
2980	takeown.exe
888	icacls.exe
2160	takeown.exe
3020	takeown.exe
3024	takeown.exe
2824	takeown.exe
1740	takeown.exe
2468	icacls.exe
2724	takeown.exe
2816	takeown.exe
1960	takeown.exe
2864	takeown.exe
2264	icacls.exe
2932	takeown.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\001\1 = "REGEDIT /S C:\\Windows\\register.reg"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1AA53EE6-3170-4D34-A020-B6443A53A257}	regsvr32.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ko-KR\Display.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	flash.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe	flash.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe	flash.exe
File created	C:\Windows\SysWOW64\user32.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\user32.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx	flash.exe
File created	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File created	C:\Windows\SysWOW64\systemcpl.dll	cmd.exe
File created	C:\Windows\SysWOW64\sppcomapi.dll	cmd.exe
File created	C:\Windows\SysWOW64\ko-KR\shell32.dll.mui	cmd.exe
File created	C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui	cmd.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx	flash.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sppcomapi.dll	cmd.exe
File created	C:\Windows\SysWOW64\winver.exe	cmd.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe	flash.exe
File opened for modification	C:\Windows\SysWOW64\systemcpl.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\shell32.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\Display.dll.mui	cmd.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001226a-177.dat	upx
behavioral1/memory/2208-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2208-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2208-380-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2208-435-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2208-473-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2208-474-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinRAR\Formats\z.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Default_en-US.SFX	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinRAR.chm	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\7z.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\tar.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Zip.SFX	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\ReadMe.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\gz.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\cab.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\uue.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\rarreg.key	uninstall.exe
File created	C:\Program Files (x86)\WinRAR\__tmp_rar_sfx_access_check_259480441	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Order.htm	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\WhatsNew.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\z.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Default.SFX	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\TechNote.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\UnrarSrc.txt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Uninstall.exe	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\RarExt.dll	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\ace.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\iso.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\iso.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Rar.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WhatsNew.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\ace.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Order.htm	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\7zxa.dll	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\RarExt64.dll	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\WinCon.SFX	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinCon.SFX	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Zip.SFX	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Zip_en-US.SFX	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Descript.ion	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarFiles.lst	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Uninstall.lst	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\7zxa.dll	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\lzh.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\tar.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Rar.txt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\ReadMe.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarExt.dll	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\7z.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\bz2.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\bz2.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files (x86)\WinRAR\File_Id.diz	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Uninstall.exe	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\UnRAR.exe	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\gz.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Default.SFX	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RAR.exe	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\RarExtLoader.exe	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\RarFiles.lst	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarExtLoader.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Descript.ion	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\License.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinRAR.exe	wrar391.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\IEMaximizer.dll	cmd.exe
File created	C:\Windows\N7\GD.exe	cmd.exe
File opened for modification	C:\Windows\N7\GD.exe	cmd.exe
File opened for modification	C:\Windows\N7\BD.cmd	cmd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui	cmd.exe
File opened for modification	C:\Windows\rescache\ResCache.mni	mcbuilder.exe
File created	C:\Windows\rescache\wip\Segment1.cmf	mcbuilder.exe
File created	C:\Windows\rescache\wip\ResCache.dir	mcbuilder.exe
File created	C:\Windows\N7\TD.cmd	cmd.exe
File opened for modification	C:\Windows\N7\TD.cmd	cmd.exe
File created	C:\Windows\N7\AD.cmd	cmd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui	cmd.exe
File created	C:\Windows\N7\BD.cmd	cmd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb\shell32.dll.mui	cmd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111\shell32.dll.mui	cmd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui	cmd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4\Display.dll.mui	cmd.exe
File created	C:\Windows\rescache\wip\Segment0.cmf	mcbuilder.exe
File created	C:\Windows\rescache\wip\Segment0.toc	mcbuilder.exe
File created	C:\Windows\rescache\wip\Segment1.toc	mcbuilder.exe
File created	C:\Windows\REGISTER.reg	cmd.exe
File opened for modification	C:\Windows\REGISTER.reg	cmd.exe
File opened for modification	C:\Windows\IEMaximizer.dll	cmd.exe
File opened for modification	C:\Windows\N7\AD.cmd	cmd.exe
File created	C:\Windows\rescache\wip\ResCache.hit	mcbuilder.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
768	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcbuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a4c1-274.dat	nsis_installer_1

Modifies File Icons 1 IoCs

ransomware

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	flash.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	flash.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	flash.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10d.exe"	flash.exe

Modifies Shortcut Icons 1 IoCs

Modifies/removes arrow indicator from shortcut icons.

ransomware

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\29 = "C:\\Windows\\System32\\imageres.dll,196"	reg.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEMaximizer.IEMaximizerObj.1\CLSID\ = "{1AA53EE6-3170-4D34-A020-B6443A53A257}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDA9221C-1B37-4562-B26A-3DED14C8FDDA}\TypeLib\ = "{DC12326E-E897-4E2E-A51C-25F07F8A57BE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\TypeLib\ = "{DC12326E-E897-4E2E-A51C-25F07F8A57BE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\0\win32\ = "C:\\Windows\\IEMaximizer.dll"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\ = "FlashBroker"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEMaximizer.IEMaximizerObj.1\ = "IEMaximizerObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\ = "IEMaximizer 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe

Modifies registry key 1 TTPs 33 IoCs

Modify Registry

T1112

pid	Process
1804	reg.exe
2756	reg.exe
1916	reg.exe
264	reg.exe
2196	reg.exe
3040	reg.exe
2964	reg.exe
2360	reg.exe
568	reg.exe
1608	reg.exe
1300	reg.exe
2172	reg.exe
2324	reg.exe
2140	reg.exe
1772	reg.exe
2336	reg.exe
1340	reg.exe
2864	reg.exe
3016	reg.exe
2944	reg.exe
568	reg.exe
1904	reg.exe
1280	reg.exe
1900	reg.exe
2040	reg.exe
1816	reg.exe
2908	reg.exe
2116	reg.exe
1160	reg.exe
2880	reg.exe
2528	reg.exe
2392	reg.exe
3060	reg.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1640	regedit.exe
1732	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
2836	schtasks.exe
2672	schtasks.exe
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
Token: SeTakeOwnershipPrivilege	2724	takeown.exe
Token: SeTakeOwnershipPrivilege	2816	takeown.exe
Token: SeTakeOwnershipPrivilege	2624	takeown.exe
Token: SeTakeOwnershipPrivilege	3020	takeown.exe
Token: SeTakeOwnershipPrivilege	1416	takeown.exe
Token: SeTakeOwnershipPrivilege	2932	takeown.exe
Token: SeTakeOwnershipPrivilege	3024	takeown.exe
Token: SeTakeOwnershipPrivilege	2160	takeown.exe
Token: SeTakeOwnershipPrivilege	2064	takeown.exe
Token: SeTakeOwnershipPrivilege	1960	takeown.exe
Token: SeTakeOwnershipPrivilege	2824	takeown.exe
Token: SeTakeOwnershipPrivilege	2980	takeown.exe
Token: SeTakeOwnershipPrivilege	1764	takeown.exe
Token: SeTakeOwnershipPrivilege	1772	takeown.exe
Token: SeTakeOwnershipPrivilege	2140	takeown.exe
Token: SeTakeOwnershipPrivilege	2648	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeSecurityPrivilege	2332	mcbuilder.exe
Token: SeRestorePrivilege	2332	mcbuilder.exe
Token: SeTakeOwnershipPrivilege	2332	mcbuilder.exe
Token: SeShutdownPrivilege	2144	shutdown.exe
Token: SeRemoteShutdownPrivilege	2144	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1372	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	30
PID 2208 wrote to memory of 1372	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	30
PID 2208 wrote to memory of 1372	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	30
PID 2208 wrote to memory of 1372	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	30
PID 2208 wrote to memory of 1372	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	30
PID 2208 wrote to memory of 1372	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	30
PID 2208 wrote to memory of 1372	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	30
PID 1372 wrote to memory of 568	1372	cmd.exe	32
PID 1372 wrote to memory of 568	1372	cmd.exe	32
PID 1372 wrote to memory of 568	1372	cmd.exe	32
PID 1372 wrote to memory of 568	1372	cmd.exe	32
PID 1372 wrote to memory of 1696	1372	cmd.exe	33
PID 1372 wrote to memory of 1696	1372	cmd.exe	33
PID 1372 wrote to memory of 1696	1372	cmd.exe	33
PID 1372 wrote to memory of 1696	1372	cmd.exe	33
PID 1372 wrote to memory of 1696	1372	cmd.exe	33
PID 1372 wrote to memory of 1696	1372	cmd.exe	33
PID 1372 wrote to memory of 1696	1372	cmd.exe	33
PID 1696 wrote to memory of 2512	1696	wrar391.exe	34
PID 1696 wrote to memory of 2512	1696	wrar391.exe	34
PID 1696 wrote to memory of 2512	1696	wrar391.exe	34
PID 1696 wrote to memory of 2512	1696	wrar391.exe	34
PID 1696 wrote to memory of 2512	1696	wrar391.exe	34
PID 1696 wrote to memory of 2512	1696	wrar391.exe	34
PID 1696 wrote to memory of 2512	1696	wrar391.exe	34
PID 2208 wrote to memory of 1724	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	35
PID 2208 wrote to memory of 1724	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	35
PID 2208 wrote to memory of 1724	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	35
PID 2208 wrote to memory of 1724	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	35
PID 2208 wrote to memory of 996	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	36
PID 2208 wrote to memory of 996	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	36
PID 2208 wrote to memory of 996	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	36
PID 2208 wrote to memory of 996	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	36
PID 1372 wrote to memory of 1640	1372	cmd.exe	39
PID 1372 wrote to memory of 1640	1372	cmd.exe	39
PID 1372 wrote to memory of 1640	1372	cmd.exe	39
PID 1372 wrote to memory of 1640	1372	cmd.exe	39
PID 1372 wrote to memory of 1640	1372	cmd.exe	39
PID 1372 wrote to memory of 1640	1372	cmd.exe	39
PID 1372 wrote to memory of 1640	1372	cmd.exe	39
PID 2208 wrote to memory of 2428	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	40
PID 2208 wrote to memory of 2428	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	40
PID 2208 wrote to memory of 2428	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	40
PID 2208 wrote to memory of 2428	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	40
PID 2208 wrote to memory of 1500	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	41
PID 2208 wrote to memory of 1500	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	41
PID 2208 wrote to memory of 1500	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	41
PID 2208 wrote to memory of 1500	2208	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe	41
PID 1372 wrote to memory of 2816	1372	cmd.exe	44
PID 1372 wrote to memory of 2816	1372	cmd.exe	44
PID 1372 wrote to memory of 2816	1372	cmd.exe	44
PID 1372 wrote to memory of 2816	1372	cmd.exe	44
PID 1372 wrote to memory of 2816	1372	cmd.exe	44
PID 1372 wrote to memory of 2816	1372	cmd.exe	44
PID 1372 wrote to memory of 2816	1372	cmd.exe	44
PID 1372 wrote to memory of 2556	1372	cmd.exe	45
PID 1372 wrote to memory of 2556	1372	cmd.exe	45
PID 1372 wrote to memory of 2556	1372	cmd.exe	45
PID 1372 wrote to memory of 2556	1372	cmd.exe	45
PID 1372 wrote to memory of 2564	1372	cmd.exe	46
PID 1372 wrote to memory of 2564	1372	cmd.exe	46
PID 1372 wrote to memory of 2564	1372	cmd.exe	46
PID 1372 wrote to memory of 2564	1372	cmd.exe	46
PID 1372 wrote to memory of 2596	1372	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
"C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\001 /V 1 /D "REGEDIT /S C:\Windows\register.reg" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:568
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe /s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Program Files (x86)\WinRAR\uninstall.exe
      "C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2512
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe /s
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1640
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 IEMaximizer.dll /s
    3⤵
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /d C:\Windows\System32\imageres.dll,196 /f
    3⤵
    - Modifies File Icons
    - Modifies Shortcut Icons
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "Starter"
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "HomeBasic"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "HomePremium"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "Professional"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "Ultimate"
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:1804
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I ACRSYS
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1916
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I DSGLTD
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2528
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I ALWARE
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2944
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I BENQ
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2116
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I DELL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3060
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I ASUS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2908
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I FOUNDR
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2756
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I FSC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2880
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I FUJ
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:3016
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I HPQ
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1772
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I LENOVO
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2140
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I MEDION
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:1900
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I MSI
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2864
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I NOKIA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2324
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I SECCSD
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:1160
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I Sony
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2172
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TOSASU
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2392
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TOSCPL
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:264
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TOSINV
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:568
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TOSQCI
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1816
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I AVERATEC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2360
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I JOOYON
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1280
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I LG
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:3040
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I NEC
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2964
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I SHARP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1904
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TCL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2040
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I HASEE
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1340
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I GBT
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2196
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I haier
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1300
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I QUANMX
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:1608
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I THTFPC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2336
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TRIGEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
    3⤵
    PID:2176
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
    data\N7\Tasks\GD.exe /y
    3⤵
    - Executes dropped EXE
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
    data\N7\Tasks\GD.exe /m
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2444
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
    data\N7\Tasks\GD.exe /d
    3⤵
    - Executes dropped EXE
    PID:2472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\N7\AD.cmd
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2508
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\N7\AD.cmd /deny everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\N7\BD.cmd
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1740
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\N7\BD.cmd /deny everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3068
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\N7\GD.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1088
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\N7\GD.exe /deny everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2468
- - C:\Windows\SysWOW64\sc.exe
    sc config sppsvc start= demand
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask" /f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask1" /xml data\N7\Tasks\SvcRestartTask1.xml /ru System /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask2" /xml data\N7\Tasks\SvcRestartTask2.xml /ru System /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask3" /xml data\N7\Tasks\SvcRestartTask3.xml /ru System /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask4" /xml data\N7\Tasks\SvcRestartTask4.xml /ru System /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2744
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\System32\netsh.exe interface tcp set global autotuninglevel=highlyrestricted
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s data\Option\Prefetch1.reg
    3⤵
    - Runs .reg file with regedit
    PID:1640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\Temp /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\Temp /t /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2720
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\slmgr.vbs
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\slmgr.vbs /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\systemcpl.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\systemcpl.dll /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\sppcomapi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\sppcomapi.dll /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\winver.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\winver.exe /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\user32.dll /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ko-kr\shell32.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysWOW64\ko-kr\shell32.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ko-kr\themecpl.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysWOW64\ko-kr\themecpl.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ko-kr\Display.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysWOW64\ko-kr\Display.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s data\Shortcut\MuiCache.reg
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1732
- - C:\Windows\SysWOW64\mcbuilder.exe
    C:\Windows\System32\mcbuilder.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Prefetch\*.* 1>nul"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\shutdown.exe
    SHUTDOWN -R -F -T 00
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c rd /S /Q "C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del /F /Q "C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c rd /S /Q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp"
  2⤵
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1500

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRAR\Rar.txt

Filesize
70KB

MD5
e8ec8d1e5f0e78752a8b82822bb75f76

SHA1
eae3513a3e56e8b99761a0cd44c1f9828e2da293

SHA256
7c1fe0d8f6c802da18aa0f37902c1559a29c5073246e28258eb89f7983aaa643

SHA512
d7b84eb535762ca6b422e2cab59fcc3c02cd07b03ff432f68212aa5c8eac879567ffcb21ed3aacd655d58d18307f9f343df4013a9fbeb5d168184ddd69089ee8

Download Submit
C:\Program Files (x86)\WinRAR\Uninstall.exe

Filesize
117KB

MD5
49799aa663bf45a3c37dd739a5116d81

SHA1
ac088d8134ccbd9d1df3794c16f9778a3d588c56

SHA256
369e163608ecc4edec6a476ae5935b16230210de2f637b1eff03565214277632

SHA512
c525396822b23d4a11866239cdce33aa1c8e5d373f0ccb36a2196e5dcd9a9e5b287caa8aeb542e079b397018a45973c01ab3326a5228d2f607bdbffbd1446cd6

Download Submit
C:\Program Files (x86)\WinRAR\WinRAR.chm

Filesize
309KB

MD5
66a2ed9fa095a68fdbed52151d096bbf

SHA1
49d8a6375078deb929070643dd205b276a77d82c

SHA256
bd58f7952f7e92ef7ae0367f1ec0090473ab4587e27e83d4856c650325bb71da

SHA512
3dc4c603ba044c7fcaa5d4187ffa10952771f5694ca114c69057f99d3fdc56b79647d833285083419842822e64329115a26066866fdd814268d6392689c07c63

Download Submit
C:\Program Files (x86)\WinRAR\WinRAR.exe

Filesize
999KB

MD5
31ae4919723e41ae26a0ca390489c508

SHA1
c36b00ad8bc7486a95935c4fb1bb45a70b4e4f92

SHA256
68937e03154d4957e7280ad29951047509ddbd0a00210570478270a84cc12096

SHA512
bd0c5e32159929ba1b0f966fed8a9d96ffed8ad080c359e65c39705025328627682f3d6ba507a5d1b96f9d5ad72ebdd6e68fd0a021cc39d31f9ac6918ab78a96

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AVERATEC .XRM-MS

Filesize
2KB

MD5
172c78e78366f8dcbe4c4a5546bad60b

SHA1
67022b142bd1a0248206d1d10da3d51f88b4e1ef

SHA256
4a99e456460a326f2659706f031efe268d0dfabfb40f77d84dde6a5ba0e6e664

SHA512
4dc34aad5783835ac64328b9b351af8f1dfa6372ea5403582d62bc48398e5d56a169aef4fcce24e28ec04c64fbee1352ff433645f0e8faae438dd392e15fa6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat

Filesize
18KB

MD5
9c671c46f977dd5967c95d110c022c6e

SHA1
42bafcbe214731c82e5199a7a6b918204ae8874e

SHA256
7088a6d70b9b90638ff569cafcab4f15466f4157e48f59301e266c39fb7981d0

SHA512
14080eccef9103323722d7abe4ad2e17920313ca3763be7238bf20cb76b0f55de64638b71dcff9a971b5b5bdbc0f4392bf214f6e1937c857157ea6cb3be33373

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\REGISTER.reg

Filesize
9KB

MD5
63020cbe973fa1ad07d932f7b1ffe54b

SHA1
43e7cef771362ba633c0f8ef569b42dacb3c8f62

SHA256
ba66da2025be4dfab3ffd08c4b4b2f5bc0511e9d784a993f4e6b9854a98cce3e

SHA512
ee3c135d7e527f9b877e22fbcae20f667511600a1ffd1b11e40ffac032291ee3180480f407f2232689ceebc5d481759a7fe1804e88a6abdc4b1707775eda9dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\AD.cmd

Filesize
958B

MD5
54d60650b4eb2f3ef4e751b08ef7c625

SHA1
9a612c4387eb5ab685f216826ba7d678817291ca

SHA256
6b1b29b19c4b1fde2503aa71f52c46643ad6267d835bbeef4fa2b4178ef50da2

SHA512
e29c6a939eedbaee591f37b65e4658210eab081b752394deb20856e0f9913f5f437ce479a81ee27aea824c06cfec5b4984bc42d25988d2349ada54ae646129f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\BD_Tail.cmd

Filesize
261B

MD5
64f19535d32b3df27bd0e4c8988eb90c

SHA1
79671f917cd93f5d44d5d63458474c433e279648

SHA256
bbe6e8ed9a625ed8364374b92dff3c1dd032177ce797857f851aa081ef1e89ee

SHA512
041d52db4602d446bcc92ce1380ae76e40e2108fac8fe031a46f4eb6cc654af5bdb4e1d5c48fa74bf83bd58b317e316080d91d2782dc412f1c636785163b761c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

Filesize
188KB

MD5
849c3feba650d42a5a7ac46062d59c54

SHA1
a4396db103cd5841915a37a52cc827e90c4c368f

SHA256
623adc6fa585a467cfe67ca27629bf1ae2a9056103f3edcc71ca07fd223b8512

SHA512
a1b6ecfa25d31389dee930fea400ccb7085fbcb52f193d7a8fb768be7ccafe73747a7980caf56de2e1e762f4ef7660fb4659e74dd7288135e77cefa330edaa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask1.xml

Filesize
3KB

MD5
4999ae501e729ed8c34a0f6984b8b83a

SHA1
336f033bce30edcff75a696252ffcc19f368ba5f

SHA256
476ca80be8e0921303fabfa69c941c1c3019754f70eb5f2ab0820af6f4e5d4a3

SHA512
e2060469be064242539c55b6c7dbec22cbdce6d1feaad56ffec3d56b7045fab60df683c06afd54a73c45a5ebe9e1e8b5d1f8e73b897945da941ab3cf08eb8112

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask2.xml

Filesize
3KB

MD5
01027180a6a26c5a2e3bf551f1dc7c44

SHA1
9b01c13025713a3fb00467e3d0176c742240c4f0

SHA256
b2ffd969413c208f1a69812055182506c887c7769794ca686ce68e66a2e87bf6

SHA512
bba113a44768731ad6e6a64839c07d026e03be14359749850bdd9549b9714f0336d6c27bab0d725913f1cbfdfbec694269d224807066ae68a50e1aa66c522f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask3.xml

Filesize
3KB

MD5
a293dbb2f8d2b1cf104cc5069bdc72e0

SHA1
42ef5370901fbac970633f44d11312670a2b4781

SHA256
a0ee763e8ca1a446d13a34cc14348c897b90053903fcf4bc415c6c20ecf3ef99

SHA512
9331f66eccbefc19b66bd983bf26c830901a9bb5ca33fbeeb821fc36c1722484cf9301e0d732133738b134461c537bd4a350fbf2d4be5ea07bb668cff389b4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask4.xml

Filesize
3KB

MD5
a34211b7e172d80ac6db1d1ab87fbb6d

SHA1
a7979e0a0d2122430081c4a06d73526095b54580

SHA256
bdd78e2045f43717423b66a338b0a5815359c13eedca5a6a70b79c3440682689

SHA512
d0285a77f7dc2042f49da61ba0d3d336024375d43b0b64bdc3e94ce47ba96b9b415ddcd90da43fd99381a0f3082f6f418e47163b1d683dd062e006eb82c263b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\TD.cmd

Filesize
395B

MD5
bdad2ade38f1dc5981087777b338e327

SHA1
0699e002c935d9b46df7a35bc8f0ec8b031e1027

SHA256
892d46ea5fd5547fa057fbbc09ef7ea8eca66d513cb80652310d9524b95dfc3f

SHA512
98c5a1c0f1aa9f5255034a8d34e45a6a913e53f704dc185c7032933b8f9af0eec7bca87b5b806103bc84b62aaebc15f92efccc1c44bcc93a5eb2d3ccc9018d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\slmgr.vbs

Filesize
107KB

MD5
574e64a8373ee84bef032e205725527e

SHA1
4e3f5b2f3330f3735cd019f764ef856f5208ac13

SHA256
f188be045a388b2c028592cd61399d6d082099c35c05b620e396faa5a20ff04a

SHA512
dad8d2a1e6ba7d9c0bb447dba365b3d41c09925b1bb5566dd9ac7ab9fcfea4c4e906ef0d01c7666e2b8f85249281d3cb08b34f518b799670d2203eeb08a1b857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\sppcomapi.dll

Filesize
1024B

MD5
69d9d1785ec1f5032538f2696210e2e2

SHA1
7dacc1c0fb5ca9e92fc1fcd90a23d74b75042c00

SHA256
444d4dfb574dcc145067b19763befd65d0e6ad9a7bb1423c92ef4ff4f6638145

SHA512
82839d76bc10dbc8849fc3879b3c776e218ed4d8496a40226116aa64798bdac41173a2dada4cc4478776c82af69cc5de541cd71fdc03eeb0301768dec0ef9e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\systemcpl.dll

Filesize
410KB

MD5
911eb55f9f74a6383983e0a6a8a2772d

SHA1
5f40c2e1ff4e6a544ed160b355b6673925d66741

SHA256
3ab580c2f8d5588ced041a96b686c88987f8217283066e408d5092f0eac7c079

SHA512
0cec6c11552936c9af72b9eb8ac7d12abfde1caea99471e421375926705a4427df4727b0645663c6a267d2957ad741e29c5f74950bfa6adeaf1754eb061b390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\user32.dll

Filesize
985KB

MD5
e573bd9ab55c8e333c202b9e255f972e

SHA1
460bde795885134b48465dc73797db695af33e1f

SHA256
79bec0da770265d1a525330b2e732e055edde617bcc2848c2742492f9dbc881e

SHA512
bcae097591cbc66e20771ef69e6544e5f951e0821b8d2a4779e524c542e5ad1d75ff683a15a76f5577e1e1389f4058cd36da7d0c785c504b2305cc144dc7b4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\winver.EXE

Filesize
12KB

MD5
7941f0c4bd4004269b268e66752dac9b

SHA1
6accf1d9b5981eb12a22c530c3d37be9ca54c415

SHA256
06c59055bd2d5bc2fc1950abb377b0aa33f74d8faab3ee074d54a2f8a93e38d2

SHA512
c8a720341ffeb39939d18c7d9f1c298554db5768d34bb24bfdf6f9f66ddbfb1884b7b20c30229cacc674856acf032081d55be4738bd7be7e1acbd781b25272a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Option\Prefetch1.reg

Filesize
582B

MD5
f2e7e95075c04b3bec89118952aeacf9

SHA1
669fcdbe70dced5524c91b631d7241b9ec0e1d8d

SHA256
a568d9604a56f35a3726636cd33c69ad48f607f55744565ba613addc432f1165

SHA512
a3121c0ea0afdae0a231df264745f90ae7660107ff24145e87d722a61b8497bdffc45cb9e2f13e4b5c0e96f577ac08b105a57015b14f8cc8575343d341776b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui

Filesize
10KB

MD5
7e74f142b1aaca35c3c6cf28b6a40b86

SHA1
5fb838b42fd9268f95769a301ea214519f144768

SHA256
3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8

SHA512
c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\shell32.dll.mui

Filesize
288KB

MD5
6bbc2ca29605dc83bd8f86eee2a98539

SHA1
1e0c4b316426be15c289c1a9e486e9b3e3095f0e

SHA256
e037bafa4dcca2f458b91bbbb1b6eae0604c0ab89d2622dabcf06c8c2328887f

SHA512
9fc7139eef0a35f3c754251871b512d2fdf5f063ded8171f7a27fef0b465d0396437c04506c210adc3d82b2a1b8604e766220957aa5a09792c25e96ef352a6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\System32\ko-KR\Display.dll.mui

Filesize
10KB

MD5
827d5f1094f6fb7ac4252dbeb193e9e9

SHA1
10e3b1eb59cdda5aa79f5d78dfc5269d1c8c15c3

SHA256
a6fd479ff612d294eb72597f434aed310ae06a6226de49368af077fe843a0bff

SHA512
717ca7697c66c94d1874fae1202db37a2269a63df0235705def1e05289a2f56c400d0f55ae68333aa3386e2625857f844d38cf9eadea09850da36287cb5d18a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\System32\ko-KR\shell32.dll.mui

Filesize
288KB

MD5
1ffdf30fd8c8a747fd9add1497530072

SHA1
63954a4f3703a07e126a4dc345ac6ea1ac090d77

SHA256
7dc85b3a6324c3b5ad8b5b6be9ffb87b7cf15c6f0b0ff2376a8fa1242e791208

SHA512
99729dc858d885c258af44ad3492456644eb84ce0a772137ce1a9d4ca0e5765eb1d5d49351c943e4e21456f9a5775404effdc5649a8cc53e4c972d5b05be0961

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui

Filesize
9KB

MD5
c6e7e1674fd77fe944dc40ccf5fb8ab3

SHA1
70dfa87edeb19f11a4f8c423a32749c43df580b1

SHA256
9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78

SHA512
fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui

Filesize
9KB

MD5
f7f931c5ac61c58a794b1cc7b064e095

SHA1
84adfebd384a8c0821188d0c724469835fe7f574

SHA256
a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5

SHA512
819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe

Filesize
1.9MB

MD5
128ada8119b4f860e1aca1891e8abde2

SHA1
f4ec0e95099e354fd01cd3bb27c202f54932dc70

SHA256
016b77d19d9fde6f7d5b477eb7008df80c51ff02acb5f950c986e45a0c2a78d3

SHA512
33df2213fb8580fa2f377f0f9a5d8c526a0e018998bd64e85a0b3db6aedc5536224b87097e8af75f3845e45ce0032174f08346b154e5de94578cfbfba9c4375f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rarreg.key

Filesize
509B

MD5
a508f08707b56a83b2e17c88694cf9f6

SHA1
eb767de79732e94769d146ddd70dbd94db390ab5

SHA256
510929488b7ef3827fde8860369cd867b2b02d48c7e4bbb86db48eb833bcee4a

SHA512
45a0b54bbd5281a9e392aa051c5e601e015496da4f4c5aef841e9eb10bbee03dbec88f3d6c901f29f5962fb05cd16efdd7cb19fa6bd99718a6e57cf77b8af83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe

Filesize
1.4MB

MD5
9fd58d13b4543c52685d4f77bebb34c1

SHA1
9b227de95bfbf859abeb22502a447948f2e6f5ac

SHA256
7548334ef0a06989c22003af8a9bfd9a74e8026fa422bbc7dfeddc42d2221712

SHA512
f580500c0154f606bed5a914ec86ebbe72c0064892c980ee8e9d65b53ea5e37da9523616901c168846aca91f4b7ce4cf5a30bd67406c739939b8bbc9f3ef930e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp

Filesize
1.4MB

MD5
ef8134a6f610d7e24dd5809a6d42b63b

SHA1
b88f9b6db5aae9961df8033991bc0e2aa83e495b

SHA256
1f486a554f2f8f880c1303fcc75bbdd6dbd5a554ca34f90671ddefb09193f5e3

SHA512
6708c280498048aa60969cc5e2c69f2f4d62c11c9332eec91d16c220b606c2b9a2a9b7aafcf6b691f6c166e54363278c1879eaa172a9e99cf965e7e0cfe14d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5C74.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5C74.tmp\fpinstall.dll

Filesize
8KB

MD5
071b6233c92f69ffa1c24243328c3b94

SHA1
bb583c00e87cdc65e6254c7148d37afc1bbb3095

SHA256
5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43

SHA512
7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

Download Submit
C:\Windows\IEMaximizer.dll

Filesize
48KB

MD5
8bda56f78a481b0b82cbee68b0e21e6b

SHA1
738c4cac60703a918b7be5f3024b93662f2803e1

SHA256
98d17e31e263dce151255413a73dc8db0d6ba9a3325cc9b243a516caa3b5d7d9

SHA512
8b5426b231bedeffb4e9f7c3896fd5cc56299830e6a6d0975d4b7c211cb1bc14ce48619867baec3a707199f5fd175eed6f6331b34a196d93929480ce100bbbe1

Download Submit
C:\Windows\N7\BD.cmd

Filesize
319B

MD5
daefed22cbba32c7ee5937807699b553

SHA1
20c33b1a6cbd66db296cbda2d296506a8817c192

SHA256
7cbce31ecc67b6aec0bfaabeaca9bd0575a3094dc189907154729b144cc265b6

SHA512
0b422520b03530ffe189a010e6f6361765dbfcfc30ba35faf59afec5a2b32badf08fbb827bea5d124c541da9dfc8fb5dbf9869fde22b92dec8cddda5088e61a8

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx

Filesize
3.8MB

MD5
3e5c5ed3eaec55aba27f68440360ae05

SHA1
af372129cd7e6fa3b99cd5b6ebfba034afc8de65

SHA256
57937c093124bd488a449d855076a5bd359ecf9ded8533838833032e7efaca45

SHA512
5d484bce66eda05b545a161c82b848403b11801399d6ac3475e504e593d1d3a8eb7107180454f6cf02b1e7092ba506c322a6931c22508ce22d9a24db74603361

Download Submit
\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp

Filesize
416KB

MD5
b44b67c02b7d868c804a47e7fe9c2b3a

SHA1
e5c8aa9186124cc0c791652e2cc9ce1fc4a74987

SHA256
bb4797ab80ecda5d4e5101e7de4b5ee9001bb3745a4873e5b43b8759946fce72

SHA512
c682c16dfa8831d989e65ccf0ead74a8a9932f88f2837834757d35f032bcd230bfe6752c004cac6c646395af8fb3a51ea92b0418fb34be93a83da87c8708f1d2

Download Submit
\Users\Admin\AppData\Local\Temp\nso5C74.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nso5C74.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
memory/1732-431-0x00000000770F0000-0x00000000771F0000-memory.dmp

Filesize
1024KB

Download
memory/2208-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2208-380-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2208-435-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2208-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2208-473-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2208-474-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads