Analysis Overview
SHA256
5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9c
Threat Level: Likely malicious
The file 5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Drops file in Drivers directory
Identifies Wine through registry keys
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 18:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 18:11
Reported
2024-11-09 18:13
Platform
win7-20240729-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\secioit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\secioit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts.ics | C:\Windows\SysWOW64\secioit.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\secioit.exe | N/A |
| File opened for modification | C:\WINDOWS\system32\drivers\etc\hosts | C:\Windows\SysWOW64\secioit.exe | N/A |
| File created | C:\WINDOWS\system32\drivers\etc\hosts.ics | C:\Windows\SysWOW64\secioit.exe | N/A |
| File opened for modification | C:\WINDOWS\system32\drivers\etc\hosts.ics | C:\Windows\SysWOW64\secioit.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\secinit.exe.lnk | C:\Windows\SysWOW64\secioit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Windows\SysWOW64\secioit.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Windows\SysWOW64\secioit.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\secioit.exe | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\secioit.exe | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winioit.exe | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| File created | C:\Windows\SysWOW64\secioit.exe | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| File opened for modification | C:\Windows\SysWOW64\secioit.exe | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| File opened for modification | C:\Windows\SysWOW64\winioit.exe | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\ADsafa.exe | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| File opened for modification | C:\WINDOWS\ADsafa.exe | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\secioit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\secioit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\55feng39.MIR | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe
"C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe"
C:\Windows\SysWOW64\secioit.exe
C:\Windows\System32\secioit.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\updata.bat
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c icacls %windir%\system32\drivers\etc /t /grant:r everyone:f
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo y|cacls %windir%\system32\drivers\etc /g everyone:f
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\drivers\etc /t /grant:r everyone:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc /g everyone:f
C:\Users\Admin\AppData\Local\Temp\55feng39.MIR
C:\Users\Admin\AppData\Local\Temp\55feng39.MIR
C:\Windows\SysWOW64\secioit.exe
C:\Windows\System32\secioit.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\updata.bat
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ig.52anzu.com | udp |
| US | 8.8.8.8:53 | www.8uc.com | udp |
| N/A | 127.0.0.1:80 | tcp |
Files
memory/2664-0-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2664-1-0x0000000076F30000-0x0000000076F32000-memory.dmp
memory/2664-46-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2664-45-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-43-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-41-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-39-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-37-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-35-0x0000000010000000-0x000000001003F000-memory.dmp
\Windows\SysWOW64\secioit.exe
| MD5 | e9011bd6a4286dbd05a84a4932044ca6 |
| SHA1 | 8034237c355fa5d7b46207872311f11869a67e04 |
| SHA256 | f855f7e32d30381c64f7faa4759e710186a77aea902466e6db521f5846279618 |
| SHA512 | 2c2e311800f2825d200529e9f266a98ef40c4fecba5fb7ed326909e2ca558426dde8350e388e041f9c7f3b561f001c441364bb9991f59b226b8f948246118baa |
memory/2664-33-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-31-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-29-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-27-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-25-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-23-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-21-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-19-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-17-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-15-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-13-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-11-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-9-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-7-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-5-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-4-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-3-0x0000000000401000-0x000000000060B000-memory.dmp
memory/2664-2-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2664-57-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2664-56-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2664-59-0x0000000006460000-0x0000000006739000-memory.dmp
memory/2992-60-0x0000000000400000-0x00000000006D9000-memory.dmp
memory/2664-58-0x0000000006460000-0x0000000006739000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\updata.bat
| MD5 | 0f7a94080870b545360292682eed22f2 |
| SHA1 | ad613ab81429ee8082fc53c4bc5a5c398dfc679d |
| SHA256 | e42746069d2eb9fda1c664b91c224867304423fd496d25bdba0757f9c62f8ad6 |
| SHA512 | b02d7d854cb15bd9cf2b7e0768196b693a0b32e5c5f75835c68198d7981cde6172fac78e81eda6050ffcb0d91561c864d2b5f979af2554b476455f9b3542552a |
memory/2664-69-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2992-74-0x0000000005040000-0x0000000005050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\55feng39.MIR
| MD5 | 4a2328e295a2f9c8f59b39d27acb3f43 |
| SHA1 | b50ecf41cf5ebe6e50861cf907a3ae738617cf43 |
| SHA256 | 9b1906a82a0cb79dd1fbf899d837beb5a5adb51507f00d5af19806bd8d9630d8 |
| SHA512 | 7359a2598bc5ad2cc3c07382c4c7a098e1d1686fa6d426445b84fe152deccc6aad00960786230885d260b247f1c48f3614d26fd3174ab992292bf2f3d21b393f |
memory/2664-83-0x0000000006AC0000-0x0000000006FCF000-memory.dmp
memory/2500-85-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2664-84-0x0000000006AC0000-0x0000000006FCF000-memory.dmp
memory/2664-87-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2664-88-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2500-108-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-106-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-104-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-102-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-100-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-98-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-96-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-94-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-92-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-91-0x0000000010000000-0x000000001003F000-memory.dmp
memory/2500-136-0x00000000064C0000-0x0000000006799000-memory.dmp
memory/2500-135-0x00000000064C0000-0x0000000006799000-memory.dmp
memory/2992-138-0x0000000000400000-0x00000000006D9000-memory.dmp
memory/1008-139-0x0000000000400000-0x00000000006D9000-memory.dmp
memory/1008-149-0x0000000000400000-0x00000000006D9000-memory.dmp
memory/2992-161-0x0000000005040000-0x0000000005050000-memory.dmp
memory/2500-162-0x0000000000400000-0x000000000090F000-memory.dmp
memory/2500-164-0x00000000064C0000-0x0000000006799000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 18:11
Reported
2024-11-09 18:13
Platform
win10v2004-20241007-en
Max time kernel
114s
Max time network
112s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\secioit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\secioit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts.ics | C:\Windows\SysWOW64\secioit.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\secioit.exe | N/A |
| File opened for modification | C:\WINDOWS\system32\drivers\etc\hosts | C:\Windows\SysWOW64\secioit.exe | N/A |
| File created | C:\WINDOWS\system32\drivers\etc\hosts.ics | C:\Windows\SysWOW64\secioit.exe | N/A |
| File opened for modification | C:\WINDOWS\system32\drivers\etc\hosts.ics | C:\Windows\SysWOW64\secioit.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\secinit.exe.lnk | C:\Windows\SysWOW64\secioit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine | C:\Windows\SysWOW64\secioit.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine | C:\Windows\SysWOW64\secioit.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\secioit.exe | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winioit.exe | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
| File created | C:\Windows\SysWOW64\secioit.exe | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
| File opened for modification | C:\Windows\SysWOW64\secioit.exe | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
| File opened for modification | C:\Windows\SysWOW64\winioit.exe | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| File created | C:\Windows\SysWOW64\secioit.exe | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
| N/A | N/A | C:\Windows\SysWOW64\secioit.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\ADsafa.exe | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| File opened for modification | C:\WINDOWS\ADsafa.exe | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\secioit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\secioit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78wen49.MIR | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe
"C:\Users\Admin\AppData\Local\Temp\5f5f0f0dc619a2ffa51105b117c9729327331712e3728959a98eec15c146ed9cN.exe"
C:\Windows\SysWOW64\secioit.exe
C:\Windows\System32\secioit.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c icacls %windir%\system32\drivers\etc /t /grant:r everyone:f
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo y|cacls %windir%\system32\drivers\etc /g everyone:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\drivers\etc /t /grant:r everyone:f
C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\drivers\etc /g everyone:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\updata.bat
C:\Users\Admin\AppData\Local\Temp\78wen49.MIR
C:\Users\Admin\AppData\Local\Temp\78wen49.MIR
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
C:\Windows\SysWOW64\secioit.exe
C:\Windows\System32\secioit.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\updata.bat
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh ipsec static delete all
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static delete all
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ig.52anzu.com | udp |
| US | 8.8.8.8:53 | www.8uc.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ig.52anzu.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ig.52anzu.com | udp |
| US | 8.8.8.8:53 | ig.52anzu.com | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ig.52anzu.com | udp |
Files
memory/876-0-0x0000000000400000-0x000000000090F000-memory.dmp
memory/876-1-0x00000000771F4000-0x00000000771F6000-memory.dmp
memory/876-2-0x0000000000401000-0x000000000060B000-memory.dmp
memory/876-3-0x0000000000400000-0x000000000090F000-memory.dmp
memory/876-36-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-47-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-45-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-49-0x0000000000400000-0x000000000090F000-memory.dmp
memory/876-48-0x0000000000400000-0x000000000090F000-memory.dmp
memory/876-43-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-41-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-39-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-38-0x0000000000400000-0x000000000090F000-memory.dmp
memory/876-50-0x0000000000400000-0x000000000090F000-memory.dmp
memory/876-51-0x0000000000400000-0x000000000090F000-memory.dmp
memory/876-55-0x0000000000400000-0x000000000090F000-memory.dmp
memory/876-34-0x0000000010000000-0x000000001003F000-memory.dmp
C:\Windows\SysWOW64\secioit.exe
| MD5 | e9011bd6a4286dbd05a84a4932044ca6 |
| SHA1 | 8034237c355fa5d7b46207872311f11869a67e04 |
| SHA256 | f855f7e32d30381c64f7faa4759e710186a77aea902466e6db521f5846279618 |
| SHA512 | 2c2e311800f2825d200529e9f266a98ef40c4fecba5fb7ed326909e2ca558426dde8350e388e041f9c7f3b561f001c441364bb9991f59b226b8f948246118baa |
memory/876-33-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-30-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-28-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-27-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-25-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-22-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-20-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-18-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-16-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-14-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-10-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-6-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-5-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-4-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-12-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-8-0x0000000010000000-0x000000001003F000-memory.dmp
memory/876-58-0x0000000000400000-0x000000000090F000-memory.dmp
memory/4932-60-0x0000000000400000-0x00000000006D9000-memory.dmp
memory/876-64-0x0000000000400000-0x000000000090F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\updata.bat
| MD5 | 0f7a94080870b545360292682eed22f2 |
| SHA1 | ad613ab81429ee8082fc53c4bc5a5c398dfc679d |
| SHA256 | e42746069d2eb9fda1c664b91c224867304423fd496d25bdba0757f9c62f8ad6 |
| SHA512 | b02d7d854cb15bd9cf2b7e0768196b693a0b32e5c5f75835c68198d7981cde6172fac78e81eda6050ffcb0d91561c864d2b5f979af2554b476455f9b3542552a |
C:\Users\Admin\AppData\Local\Temp\78wen49.MIR
| MD5 | eab40fbfa1e9c1e2ce17b40563fa139c |
| SHA1 | 8b56ef640e4248bb7b06d7a05401d59f4a63f00f |
| SHA256 | bac4eda436c4581cc7685323d033359655051238d4325a72dc73f35305f67b3d |
| SHA512 | 931ebb7f8b4c76010d10534cb5513010ac8ef8c9c504c069e3883b12acc66792720126ee9e6594ab21a5183bfaea5cc1729008018f2edc35935f784b9ed3a868 |
memory/1868-70-0x0000000000400000-0x000000000090F000-memory.dmp
memory/1868-73-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-89-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-87-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-85-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-84-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-81-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-80-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-77-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-76-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-91-0x0000000010000000-0x000000001003F000-memory.dmp
memory/1868-72-0x0000000010000000-0x000000001003F000-memory.dmp
memory/3612-115-0x0000000000400000-0x00000000006D9000-memory.dmp
memory/876-117-0x0000000000400000-0x000000000090F000-memory.dmp
memory/3612-122-0x0000000000400000-0x00000000006D9000-memory.dmp
memory/4932-131-0x0000000000400000-0x00000000006D9000-memory.dmp
memory/1868-134-0x0000000000400000-0x000000000090F000-memory.dmp