ddcbe331e610f3a5cd579662826404aeff1f9ca5be2db4ca3e4e0fd923cc4b48

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

idm注册机激活/IDM卸载后执行.bat
Size

8KB
MD5

66e736d158131ada43af4b98d84f880b
SHA1

6ae6255d12b1aedc3218ad5593c1d7a49d3a74e0
SHA256

1d83a1b5830aeef9533a2cacbabf880da6d71e17031dd1d46e1b3d3e5768d9fe
SHA512

7a5896b4221608bf32a7d35fd268c896c41abc47c06a3e761f7d213a372e9d7080ed508f7bad1e3bbd9c0fd6563bfb45bf2081dc66d9c490caa8455d296b91cf
SSDEEP

192:IJGsSXczOrcf1NrAfCvIzxflf0kREPTvDHbhgzrhtytc:IGdREjDHbaXic

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	whoami.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 396	4084	cmd.exe	84
PID 4084 wrote to memory of 396	4084	cmd.exe	84
PID 396 wrote to memory of 2168	396	cmd.exe	85
PID 396 wrote to memory of 2168	396	cmd.exe	85
PID 4084 wrote to memory of 5012	4084	cmd.exe	86
PID 4084 wrote to memory of 5012	4084	cmd.exe	86
PID 4084 wrote to memory of 4756	4084	cmd.exe	87
PID 4084 wrote to memory of 4756	4084	cmd.exe	87
PID 4084 wrote to memory of 5092	4084	cmd.exe	88
PID 4084 wrote to memory of 5092	4084	cmd.exe	88
PID 4084 wrote to memory of 1568	4084	cmd.exe	89
PID 4084 wrote to memory of 1568	4084	cmd.exe	89
PID 4084 wrote to memory of 4832	4084	cmd.exe	90
PID 4084 wrote to memory of 4832	4084	cmd.exe	90
PID 4084 wrote to memory of 320	4084	cmd.exe	91
PID 4084 wrote to memory of 320	4084	cmd.exe	91
PID 4084 wrote to memory of 968	4084	cmd.exe	92
PID 4084 wrote to memory of 968	4084	cmd.exe	92
PID 4084 wrote to memory of 4528	4084	cmd.exe	94
PID 4084 wrote to memory of 4528	4084	cmd.exe	94
PID 4084 wrote to memory of 4900	4084	cmd.exe	95
PID 4084 wrote to memory of 4900	4084	cmd.exe	95
PID 4084 wrote to memory of 3132	4084	cmd.exe	96
PID 4084 wrote to memory of 3132	4084	cmd.exe	96
PID 4084 wrote to memory of 2496	4084	cmd.exe	97
PID 4084 wrote to memory of 2496	4084	cmd.exe	97
PID 4084 wrote to memory of 2884	4084	cmd.exe	98
PID 4084 wrote to memory of 2884	4084	cmd.exe	98
PID 4084 wrote to memory of 4908	4084	cmd.exe	99
PID 4084 wrote to memory of 4908	4084	cmd.exe	99
PID 4084 wrote to memory of 60	4084	cmd.exe	100
PID 4084 wrote to memory of 60	4084	cmd.exe	100
PID 4084 wrote to memory of 2692	4084	cmd.exe	101
PID 4084 wrote to memory of 2692	4084	cmd.exe	101
PID 4084 wrote to memory of 2528	4084	cmd.exe	103
PID 4084 wrote to memory of 2528	4084	cmd.exe	103
PID 4084 wrote to memory of 4612	4084	cmd.exe	104
PID 4084 wrote to memory of 4612	4084	cmd.exe	104
PID 4084 wrote to memory of 3008	4084	cmd.exe	105
PID 4084 wrote to memory of 3008	4084	cmd.exe	105
PID 4084 wrote to memory of 4996	4084	cmd.exe	106
PID 4084 wrote to memory of 4996	4084	cmd.exe	106
PID 4084 wrote to memory of 208	4084	cmd.exe	107
PID 4084 wrote to memory of 208	4084	cmd.exe	107
PID 4084 wrote to memory of 112	4084	cmd.exe	108
PID 4084 wrote to memory of 112	4084	cmd.exe	108
PID 4084 wrote to memory of 2780	4084	cmd.exe	109
PID 4084 wrote to memory of 2780	4084	cmd.exe	109
PID 4084 wrote to memory of 3280	4084	cmd.exe	110
PID 4084 wrote to memory of 3280	4084	cmd.exe	110
PID 4084 wrote to memory of 4648	4084	cmd.exe	111
PID 4084 wrote to memory of 4648	4084	cmd.exe	111
PID 4084 wrote to memory of 5040	4084	cmd.exe	112
PID 4084 wrote to memory of 5040	4084	cmd.exe	112
PID 4084 wrote to memory of 1832	4084	cmd.exe	113
PID 4084 wrote to memory of 1832	4084	cmd.exe	113
PID 4084 wrote to memory of 2680	4084	cmd.exe	114
PID 4084 wrote to memory of 2680	4084	cmd.exe	114
PID 4084 wrote to memory of 4924	4084	cmd.exe	116
PID 4084 wrote to memory of 4924	4084	cmd.exe	116
PID 4084 wrote to memory of 1440	4084	cmd.exe	117
PID 4084 wrote to memory of 1440	4084	cmd.exe	117
PID 4084 wrote to memory of 4540	4084	cmd.exe	118
PID 4084 wrote to memory of 4540	4084	cmd.exe	118

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\idm注册机激活\IDM卸载后执行.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c whoami /user /fo list
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\whoami.exe
    whoami /user /fo list
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Windows\system32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:5012
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:5092
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:1568
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:4832
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:320
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:968
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:4528
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:4900
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:3132
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:2496
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:4908
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:60
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2528
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:4612
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:3008
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:208
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:112
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:3280
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:5040
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:1832
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2680
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:4924
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:1440
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:4540
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:5104
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:4428
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:3648
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:428
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:3024
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:312
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:372
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:3244
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:1096
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2468
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:3816
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:3260
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:3200
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:4196
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:1500
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:4368
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:4064
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:4524
- C:\Windows\system32\reg.exe
  REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:836
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:4716
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:1740
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:2600
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:1384
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:3428
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:884
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:928
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:3828
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:2592
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:1484
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:1712
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:4232
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:3356
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:1908
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:1944
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:1676
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:5112
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:3192
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:4772
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:2816
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:2012
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:964
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:4488
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:3264
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:3604
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:2576
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:3588
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2040
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:1852
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:3980
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:1388
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:728
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:3340
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:316
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:232
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:3432
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:4048
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:4760
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:3352
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:4860
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2356
- C:\Windows\system32\reg.exe
  REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:2004
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:4032
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:1348
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:1512
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:2500
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:3696
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:212
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:4296
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:4000
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:3804
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:4820
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:1412
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:2180
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:524
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:4636
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:3964
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:2020
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:3784
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:3556
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:5016
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:2044
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:4428
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:3252
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:4548
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2388
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
  2⤵
  PID:1868
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
  2⤵
  PID:3088
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
  2⤵
  PID:3680
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:3632
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
  2⤵
  PID:2876
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
  2⤵
  PID:2468
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
  2⤵
  PID:2948
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
  2⤵
  PID:4356
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:5024
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:4144
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
  2⤵
  PID:1028
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2628
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
  2⤵
  PID:4568
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:3836
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
  2⤵
  PID:916
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:3388
- C:\Windows\system32\reg.exe
  REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
  2⤵
  PID:944
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:2428

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads