ddcbe331e610f3a5cd579662826404aeff1f9ca5be2db4ca3e4e0fd923cc4b48

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

idm注册机激活/IDM卸载后执行.bat
Size

8KB
MD5

66e736d158131ada43af4b98d84f880b
SHA1

6ae6255d12b1aedc3218ad5593c1d7a49d3a74e0
SHA256

1d83a1b5830aeef9533a2cacbabf880da6d71e17031dd1d46e1b3d3e5768d9fe
SHA512

7a5896b4221608bf32a7d35fd268c896c41abc47c06a3e761f7d213a372e9d7080ed508f7bad1e3bbd9c0fd6563bfb45bf2081dc66d9c490caa8455d296b91cf
SSDEEP

192:IJGsSXczOrcf1NrAfCvIzxflf0kREPTvDHbhgzrhtytc:IGdREjDHbaXic

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	whoami.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 892	1876	cmd.exe	29
PID 1876 wrote to memory of 892	1876	cmd.exe	29
PID 1876 wrote to memory of 892	1876	cmd.exe	29
PID 892 wrote to memory of 2524	892	cmd.exe	30
PID 892 wrote to memory of 2524	892	cmd.exe	30
PID 892 wrote to memory of 2524	892	cmd.exe	30
PID 1876 wrote to memory of 2724	1876	cmd.exe	31
PID 1876 wrote to memory of 2724	1876	cmd.exe	31
PID 1876 wrote to memory of 2724	1876	cmd.exe	31
PID 1876 wrote to memory of 3012	1876	cmd.exe	32
PID 1876 wrote to memory of 3012	1876	cmd.exe	32
PID 1876 wrote to memory of 3012	1876	cmd.exe	32
PID 1876 wrote to memory of 3036	1876	cmd.exe	33
PID 1876 wrote to memory of 3036	1876	cmd.exe	33
PID 1876 wrote to memory of 3036	1876	cmd.exe	33
PID 1876 wrote to memory of 2328	1876	cmd.exe	34
PID 1876 wrote to memory of 2328	1876	cmd.exe	34
PID 1876 wrote to memory of 2328	1876	cmd.exe	34
PID 1876 wrote to memory of 2844	1876	cmd.exe	35
PID 1876 wrote to memory of 2844	1876	cmd.exe	35
PID 1876 wrote to memory of 2844	1876	cmd.exe	35
PID 1876 wrote to memory of 2728	1876	cmd.exe	36
PID 1876 wrote to memory of 2728	1876	cmd.exe	36
PID 1876 wrote to memory of 2728	1876	cmd.exe	36
PID 1876 wrote to memory of 2952	1876	cmd.exe	37
PID 1876 wrote to memory of 2952	1876	cmd.exe	37
PID 1876 wrote to memory of 2952	1876	cmd.exe	37
PID 1876 wrote to memory of 1536	1876	cmd.exe	38
PID 1876 wrote to memory of 1536	1876	cmd.exe	38
PID 1876 wrote to memory of 1536	1876	cmd.exe	38
PID 1876 wrote to memory of 2132	1876	cmd.exe	39
PID 1876 wrote to memory of 2132	1876	cmd.exe	39
PID 1876 wrote to memory of 2132	1876	cmd.exe	39
PID 1876 wrote to memory of 2072	1876	cmd.exe	40
PID 1876 wrote to memory of 2072	1876	cmd.exe	40
PID 1876 wrote to memory of 2072	1876	cmd.exe	40
PID 1876 wrote to memory of 3000	1876	cmd.exe	41
PID 1876 wrote to memory of 3000	1876	cmd.exe	41
PID 1876 wrote to memory of 3000	1876	cmd.exe	41
PID 1876 wrote to memory of 1820	1876	cmd.exe	42
PID 1876 wrote to memory of 1820	1876	cmd.exe	42
PID 1876 wrote to memory of 1820	1876	cmd.exe	42
PID 1876 wrote to memory of 2588	1876	cmd.exe	43
PID 1876 wrote to memory of 2588	1876	cmd.exe	43
PID 1876 wrote to memory of 2588	1876	cmd.exe	43
PID 1876 wrote to memory of 2592	1876	cmd.exe	44
PID 1876 wrote to memory of 2592	1876	cmd.exe	44
PID 1876 wrote to memory of 2592	1876	cmd.exe	44
PID 1876 wrote to memory of 2668	1876	cmd.exe	45
PID 1876 wrote to memory of 2668	1876	cmd.exe	45
PID 1876 wrote to memory of 2668	1876	cmd.exe	45
PID 1876 wrote to memory of 2696	1876	cmd.exe	46
PID 1876 wrote to memory of 2696	1876	cmd.exe	46
PID 1876 wrote to memory of 2696	1876	cmd.exe	46
PID 1876 wrote to memory of 2700	1876	cmd.exe	47
PID 1876 wrote to memory of 2700	1876	cmd.exe	47
PID 1876 wrote to memory of 2700	1876	cmd.exe	47
PID 1876 wrote to memory of 2708	1876	cmd.exe	48
PID 1876 wrote to memory of 2708	1876	cmd.exe	48
PID 1876 wrote to memory of 2708	1876	cmd.exe	48
PID 1876 wrote to memory of 2716	1876	cmd.exe	49
PID 1876 wrote to memory of 2716	1876	cmd.exe	49
PID 1876 wrote to memory of 2716	1876	cmd.exe	49
PID 1876 wrote to memory of 2596	1876	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\idm注册机激活\IDM卸载后执行.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c whoami /user /fo list
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\system32\whoami.exe
    whoami /user /fo list
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- C:\Windows\system32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:2724
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2328
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:2728
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:2952
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:1536
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:2132
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:3000
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:1820
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:2592
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2668
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:2700
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2708
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2716
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:2596
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:2644
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2648
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2452
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:3024
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2604
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:2472
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:2580
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2500
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2448
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:2460
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2476
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2508
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2364
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2216
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2928
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:2344
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2940
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:1916
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:1864
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:1452
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:608
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:1160
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:2044
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:1696
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:2040
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:2512
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:2544
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2744
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2748
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:2732
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2788
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:1636
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2752
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:1444
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:2760
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2260
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:1212
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:2408
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:1208
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:1176
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:1664
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:2392
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:1792
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:1456
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:2768
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2268
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:1448
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:2032
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2372
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2004
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:2800
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2012
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:1988
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2620
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:1784
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2820
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:2832
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2808
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:536
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:380
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:1800
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:1400
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:988
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:688
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:580
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:1560
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:1740
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:1404
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:636
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:1036
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:1580
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2484
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2340
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2360
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:448
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2872
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:276
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:1152
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:1540
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:820
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:1564
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:1428
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:1348
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:1252
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:1028
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2868
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:1868
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:320
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:1712
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:908
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:916
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:1484
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:1760
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:3064
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2104
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2860

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads