floxif | a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc

Analysis

max time kernel
13s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 16:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe
Size

4.3MB
MD5

88803d738899f52422d43240053ba7e0
SHA1

fc02fc3bffd0712ad724e92ee8d9afe6f3efafc4
SHA256

a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc
SHA512

4580e57143df815867f3c4c8fb8ce9365e87513e3409b760710a5375c410c9d93f6e97a7baf6767c84eb3e4e564e84d906bae375e75c228b63cd8014d83a16f0
SSDEEP

98304:sygXkXYxIaRtFHHvSSSL+eHhXXinaWsEHGmStJyJR6Kg2BflXHxro:YOnaTFv/eHKaWsEHXSyJR3g2BpHxro

Score

10^/10

floxif adware backdoor defense_evasion discovery exploit persistence privilege_escalation stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000d000000023b0a-2.dat	floxif

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	flash.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.42.34"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	flash.exe

Possible privilege escalation attempt 30 IoCs

exploit

pid	Process
2852	takeown.exe
4828	takeown.exe
4576	icacls.exe
4308	icacls.exe
1680	takeown.exe
1496	icacls.exe
3376	icacls.exe
1552	takeown.exe
540	icacls.exe
1916	takeown.exe
2744	takeown.exe
2260	takeown.exe
3732	takeown.exe
4772	icacls.exe
4448	takeown.exe
5092	takeown.exe
3496	takeown.exe
836	takeown.exe
3320	takeown.exe
4536	takeown.exe
1216	takeown.exe
3824	takeown.exe
4068	takeown.exe
3020	takeown.exe
932	takeown.exe
1740	icacls.exe
4792	icacls.exe
3436	takeown.exe
3564	takeown.exe
920	icacls.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000d000000023b0a-2.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wrar391.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
680	wrar391.exe
224	uninstall.exe
3904	flash.exe
3008	GD.exe
2884	GD.exe
644	GD.exe

Loads dropped DLL 15 IoCs

pid	Process
2132	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3904	flash.exe
3644	regsvr32.exe
4044	shutdown.exe

Modifies file permissions 1 TTPs 30 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4308	icacls.exe
4792	icacls.exe
4576	icacls.exe
3020	takeown.exe
2260	takeown.exe
1216	takeown.exe
2852	takeown.exe
540	icacls.exe
1496	icacls.exe
932	takeown.exe
1680	takeown.exe
1552	takeown.exe
3732	takeown.exe
3564	takeown.exe
920	icacls.exe
4772	icacls.exe
3436	takeown.exe
3376	icacls.exe
5092	takeown.exe
2744	takeown.exe
4536	takeown.exe
3824	takeown.exe
3320	takeown.exe
4068	takeown.exe
4828	takeown.exe
3496	takeown.exe
1740	icacls.exe
836	takeown.exe
1916	takeown.exe
4448	takeown.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\001\1 = "REGEDIT /S C:\\Windows\\register.reg"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AA53EE6-3170-4D34-A020-B6443A53A257}	regsvr32.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	flash.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx	flash.exe
File created	C:\Windows\SysWOW64\sppcomapi.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sppcomapi.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\shell32.dll.mui	cmd.exe
File created	C:\Windows\SysWOW64\ko-KR\Display.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe	flash.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe	flash.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	cmd.exe
File created	C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui	cmd.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe	flash.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx	flash.exe
File created	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File created	C:\Windows\SysWOW64\systemcpl.dll	cmd.exe
File created	C:\Windows\SysWOW64\winver.exe	cmd.exe
File created	C:\Windows\SysWOW64\ko-KR\shell32.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\systemcpl.dll	cmd.exe
File created	C:\Windows\SysWOW64\user32.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\user32.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\Display.dll.mui	cmd.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2132-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x000d000000023b0a-2.dat	upx
behavioral2/memory/2132-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2132-439-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2132-505-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2132-604-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2132-603-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Zip.SFX	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\ReadMe.txt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\7zxa.dll	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\cab.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Default.SFX	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\rarreg.key	uninstall.exe
File created	C:\Program Files (x86)\WinRAR\Descript.ion	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\WinRAR.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\tar.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\z.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\File_Id.diz	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Descript.ion	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Order.htm	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RAR.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\arj.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\bz2.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\lzh.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WhatsNew.txt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Uninstall.lst	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Uninstall.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarExt.dll	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\uue.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Zip_en-US.SFX	wrar391.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe
File created	C:\Program Files (x86)\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files (x86)\WinRAR\File_Id.diz	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\License.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Rar.txt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Uninstall.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinRAR.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\ace.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\License.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\UnRAR.exe	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\RarExt.dll	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\z.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Order.htm	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\UnRAR.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\7zxa.dll	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\iso.fmt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Rar.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\UnrarSrc.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\arj.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\gz.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\uue.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\WinCon.SFX	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarFiles.lst	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\RAR.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\RarExtLoader.exe	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\bz2.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Formats\lzh.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\WhatsNew.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\gz.fmt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Default.SFX	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\Zip.SFX	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\TechNote.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\TechNote.txt	wrar391.exe
File created	C:\Program Files (x86)\WinRAR\UnrarSrc.txt	wrar391.exe
File opened for modification	C:\Program Files (x86)\WinRAR\Default_en-US.SFX	wrar391.exe

Drops file in Windows directory 62 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3246022523\784538226.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\3214612860\3753333991.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\2899339121\3262920717.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\1008669510\651334401.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\2965031256\1501519611.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\92721896\2685858253.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\2879188601\459760406.pri	mcbuilder.exe
File opened for modification	C:\Windows\IEMaximizer.dll	cmd.exe
File opened for modification	C:\Windows\N7\GD.exe	cmd.exe
File created	C:\Windows\rescache\_merged\3937681233\230637640.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\3983011459\329499506.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\942976607\212156261.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\899128513\3646604013.pri	mcbuilder.exe
File opened for modification	C:\Windows\N7\TD.cmd	cmd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui	cmd.exe
File created	C:\Windows\rescache\_merged\2939201637\2647981069.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\1945310375\1010989319.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\2530935351\1110082846.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\3970336390\3335102081.pri	mcbuilder.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui	cmd.exe
File created	C:\Windows\rescache\_merged\2285375612\2440843840.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\1649057605\3037178151.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\3479232320\11140763.pri	mcbuilder.exe
File created	C:\Windows\N7\GD.exe	cmd.exe
File opened for modification	C:\Windows\N7\BD.cmd	cmd.exe
File created	C:\Windows\rescache\_merged\1910676589\2880856764.pri	mcbuilder.exe
File created	C:\Windows\N7\TD.cmd	cmd.exe
File created	C:\Windows\IEMaximizer.dll	cmd.exe
File created	C:\Windows\rescache\_merged\482193516\3011897774.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\3200614358\1029744313.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\64831148\2602077189.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\2137598169\2207493924.pri	mcbuilder.exe
File opened for modification	C:\Windows\REGISTER.reg	cmd.exe
File created	C:\Windows\rescache\_merged\2782477206\596507695.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\1902349548\765308051.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\242531539\946762314.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\4245263321\3102375087.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\2360802049\3926782672.pri	mcbuilder.exe
File created	C:\Windows\REGISTER.reg	cmd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb\shell32.dll.mui	cmd.exe
File created	C:\Windows\rescache\_merged\2263554406\2576708587.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\3031988681\327323312.pri	mcbuilder.exe
File created	C:\Windows\N7\AD.cmd	cmd.exe
File created	C:\Windows\rescache\_merged\1045417640\562750545.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\431186354\2974851532.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\3977956527\4246452460.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\2928961003\2113937903.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\205257784\2333614249.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\2229298842\3069744964.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\1936697710\2657602069.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\1712550052\1292294125.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\4278325366\1047160290.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\1102129660\2630725909.pri	mcbuilder.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111\shell32.dll.mui	cmd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui	cmd.exe
File created	C:\Windows\rescache\_merged\1691975690\4064058629.pri	mcbuilder.exe
File created	C:\Windows\N7\BD.cmd	cmd.exe
File created	C:\Windows\rescache\_merged\3252231599\1081777161.pri	mcbuilder.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4\Display.dll.mui	cmd.exe
File created	C:\Windows\rescache\_merged\2181205234\1364962562.pri	mcbuilder.exe
File created	C:\Windows\rescache\_merged\3628602599\350727566.pri	mcbuilder.exe
File opened for modification	C:\Windows\N7\AD.cmd	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3324	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrar391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023c86-267.dat	nsis_installer_1

Modifies File Icons 1 IoCs

ransomware

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10d.exe"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	flash.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	flash.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	flash.exe

Modifies Shortcut Icons 1 IoCs

Modifies/removes arrow indicator from shortcut icons.

ransomware

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\System32\\imageres.dll,196"	reg.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	regedit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	flash.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ = "IFlashBroker3"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDA9221C-1B37-4562-B26A-3DED14C8FDDA}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDA9221C-1B37-4562-B26A-3DED14C8FDDA}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\VersionIndependentProgID\ = "IEMaximizer.IEMaximizerObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDA9221C-1B37-4562-B26A-3DED14C8FDDA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files (x86)\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}	flash.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files (x86)\\WinRAR\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ = "ISimpleTextSelection"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEMaximizer.IEMaximizerObj.1\CLSID\ = "{1AA53EE6-3170-4D34-A020-B6443A53A257}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r28	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\0\win32\ = "C:\\Windows\\IEMaximizer.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf"	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flash.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS	flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1"	flash.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe

Modifies registry key 1 TTPs 33 IoCs

Modify Registry

T1112

pid	Process
2884	reg.exe
5004	reg.exe
4884	reg.exe
2008	reg.exe
2200	reg.exe
2416	reg.exe
5104	reg.exe
3980	reg.exe
1484	reg.exe
3340	reg.exe
3476	reg.exe
3996	reg.exe
1696	reg.exe
4556	reg.exe
1208	reg.exe
1004	reg.exe
868	reg.exe
3468	reg.exe
2772	reg.exe
540	reg.exe
3004	reg.exe
2076	reg.exe
4368	reg.exe
380	reg.exe
5080	reg.exe
712	reg.exe
2240	reg.exe
4648	reg.exe
1432	reg.exe
3624	reg.exe
2388	reg.exe
3904	reg.exe
1452	reg.exe

Runs .reg file with regedit 2 IoCs

pid	Process
864	regedit.exe
2424	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3924	schtasks.exe
4864	schtasks.exe
3760	schtasks.exe
3636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2132	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe
2132	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe
Token: SeTakeOwnershipPrivilege	1680	takeown.exe
Token: SeTakeOwnershipPrivilege	5092	takeown.exe
Token: SeTakeOwnershipPrivilege	932	takeown.exe
Token: SeTakeOwnershipPrivilege	836	takeown.exe
Token: SeTakeOwnershipPrivilege	3436	takeown.exe
Token: SeTakeOwnershipPrivilege	1916	takeown.exe
Token: SeTakeOwnershipPrivilege	3320	takeown.exe
Token: SeTakeOwnershipPrivilege	2744	takeown.exe
Token: SeTakeOwnershipPrivilege	3020	takeown.exe
Token: SeTakeOwnershipPrivilege	1552	takeown.exe
Token: SeTakeOwnershipPrivilege	2260	takeown.exe
Token: SeTakeOwnershipPrivilege	4536	takeown.exe
Token: SeTakeOwnershipPrivilege	3732	takeown.exe
Token: SeTakeOwnershipPrivilege	4448	takeown.exe
Token: SeTakeOwnershipPrivilege	1216	takeown.exe
Token: SeTakeOwnershipPrivilege	3824	takeown.exe
Token: SeTakeOwnershipPrivilege	3564	takeown.exe
Token: SeSecurityPrivilege	1200	mcbuilder.exe
Token: SeShutdownPrivilege	4044	shutdown.exe
Token: SeRemoteShutdownPrivilege	4044	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4256	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1908	2132	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe	88
PID 2132 wrote to memory of 1908	2132	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe	88
PID 2132 wrote to memory of 1908	2132	a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe	88
PID 1908 wrote to memory of 1484	1908	cmd.exe	90
PID 1908 wrote to memory of 1484	1908	cmd.exe	90
PID 1908 wrote to memory of 1484	1908	cmd.exe	90
PID 1908 wrote to memory of 680	1908	cmd.exe	91
PID 1908 wrote to memory of 680	1908	cmd.exe	91
PID 1908 wrote to memory of 680	1908	cmd.exe	91
PID 680 wrote to memory of 224	680	wrar391.exe	92
PID 680 wrote to memory of 224	680	wrar391.exe	92
PID 680 wrote to memory of 224	680	wrar391.exe	92
PID 1908 wrote to memory of 3904	1908	cmd.exe	93
PID 1908 wrote to memory of 3904	1908	cmd.exe	93
PID 1908 wrote to memory of 3904	1908	cmd.exe	93
PID 1908 wrote to memory of 3644	1908	cmd.exe	95
PID 1908 wrote to memory of 3644	1908	cmd.exe	95
PID 1908 wrote to memory of 3644	1908	cmd.exe	95
PID 1908 wrote to memory of 1600	1908	cmd.exe	96
PID 1908 wrote to memory of 1600	1908	cmd.exe	96
PID 1908 wrote to memory of 1600	1908	cmd.exe	96
PID 1908 wrote to memory of 700	1908	cmd.exe	97
PID 1908 wrote to memory of 700	1908	cmd.exe	97
PID 1908 wrote to memory of 700	1908	cmd.exe	97
PID 1908 wrote to memory of 1912	1908	cmd.exe	98
PID 1908 wrote to memory of 1912	1908	cmd.exe	98
PID 1908 wrote to memory of 1912	1908	cmd.exe	98
PID 1908 wrote to memory of 4136	1908	cmd.exe	168
PID 1908 wrote to memory of 4136	1908	cmd.exe	168
PID 1908 wrote to memory of 4136	1908	cmd.exe	168
PID 1908 wrote to memory of 2924	1908	cmd.exe	100
PID 1908 wrote to memory of 2924	1908	cmd.exe	100
PID 1908 wrote to memory of 2924	1908	cmd.exe	100
PID 1908 wrote to memory of 2264	1908	cmd.exe	101
PID 1908 wrote to memory of 2264	1908	cmd.exe	101
PID 1908 wrote to memory of 2264	1908	cmd.exe	101
PID 1908 wrote to memory of 4260	1908	cmd.exe	102
PID 1908 wrote to memory of 4260	1908	cmd.exe	102
PID 1908 wrote to memory of 4260	1908	cmd.exe	102
PID 1908 wrote to memory of 4776	1908	cmd.exe	103
PID 1908 wrote to memory of 4776	1908	cmd.exe	103
PID 1908 wrote to memory of 4776	1908	cmd.exe	103
PID 1908 wrote to memory of 1136	1908	cmd.exe	104
PID 1908 wrote to memory of 1136	1908	cmd.exe	104
PID 1908 wrote to memory of 1136	1908	cmd.exe	104
PID 1908 wrote to memory of 4660	1908	cmd.exe	105
PID 1908 wrote to memory of 4660	1908	cmd.exe	105
PID 1908 wrote to memory of 4660	1908	cmd.exe	105
PID 1908 wrote to memory of 2804	1908	cmd.exe	106
PID 1908 wrote to memory of 2804	1908	cmd.exe	106
PID 1908 wrote to memory of 2804	1908	cmd.exe	106
PID 1908 wrote to memory of 1004	1908	cmd.exe	107
PID 1908 wrote to memory of 1004	1908	cmd.exe	107
PID 1908 wrote to memory of 1004	1908	cmd.exe	107
PID 1908 wrote to memory of 3964	1908	cmd.exe	108
PID 1908 wrote to memory of 3964	1908	cmd.exe	108
PID 1908 wrote to memory of 3964	1908	cmd.exe	108
PID 1908 wrote to memory of 3340	1908	cmd.exe	109
PID 1908 wrote to memory of 3340	1908	cmd.exe	109
PID 1908 wrote to memory of 3340	1908	cmd.exe	109
PID 1908 wrote to memory of 1768	1908	cmd.exe	110
PID 1908 wrote to memory of 1768	1908	cmd.exe	110
PID 1908 wrote to memory of 1768	1908	cmd.exe	110
PID 1908 wrote to memory of 868	1908	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe
"C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat" "
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\001 /V 1 /D "REGEDIT /S C:\Windows\register.reg" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe /s
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Program Files (x86)\WinRAR\uninstall.exe
      "C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
      4⤵
      Executes dropped EXE
      Modifies system executable filetype association
      Drops file in Program Files directory
      Modifies registry class
      PID:224
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe /s
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3904
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 IEMaximizer.dll /s
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /d C:\Windows\System32\imageres.dll,196 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies File Icons
    - Modifies Shortcut Icons
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    PID:700
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "Starter"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "HomeBasic"
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "HomePremium"
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "Professional"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4660
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I "Ultimate"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:1004
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I ACRSYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:3340
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I DSGLTD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:868
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I ALWARE
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:3468
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I BENQ
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3464
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2884
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I DELL
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:5004
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I ASUS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2008
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I FOUNDR
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:2772
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I FSC
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:540
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I FUJ
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4884
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I HPQ
    3⤵
    PID:448
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2388
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I LENOVO
    3⤵
    - System Location Discovery: System Language Discovery
    PID:748
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3476
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I MEDION
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2200
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I MSI
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:380
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I NOKIA
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3004
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I SECCSD
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4556
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I Sony
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3872
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2240
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TOSASU
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2416
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TOSCPL
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:1208
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TOSINV
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4648
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TOSQCI
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4456
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:3980
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I AVERATEC
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:1432
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I JOOYON
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:3996
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I LG
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4836
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5080
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I NEC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:712
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I SHARP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3624
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TCL
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:3904
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I HASEE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1696
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I GBT
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2076
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I haier
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:1452
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I QUANMX
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5104
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I THTFPC
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY HKLM\HARDWARE\ACPI\RSDT
    3⤵
    - Modifies registry key
    PID:4368
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR /I TRIGEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4756
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Windows\System32\slmgr.vbs -ipk
    3⤵
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
    data\N7\Tasks\GD.exe /y
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
    data\N7\Tasks\GD.exe /m
    3⤵
    - Executes dropped EXE
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
    data\N7\Tasks\GD.exe /d
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\N7\AD.cmd
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4068
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\N7\AD.cmd /deny everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4308
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\N7\BD.cmd
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2852
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\N7\BD.cmd /deny everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\N7\GD.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4828
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\N7\GD.exe /deny everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:920
- - C:\Windows\SysWOW64\sc.exe
    sc config sppsvc start= demand
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3324
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask" /f
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask1" /xml data\N7\Tasks\SvcRestartTask1.xml /ru System /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask2" /xml data\N7\Tasks\SvcRestartTask2.xml /ru System /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask3" /xml data\N7\Tasks\SvcRestartTask3.xml /ru System /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask4" /xml data\N7\Tasks\SvcRestartTask4.xml /ru System /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3636
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\System32\netsh.exe interface tcp set global autotuninglevel=highlyrestricted
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1964
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s data\Option\Prefetch1.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\Temp /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3496
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\Temp /t /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\slmgr.vbs
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\slmgr.vbs /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\systemcpl.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\systemcpl.dll /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\sppcomapi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\sppcomapi.dll /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\winver.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\winver.exe /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\user32.dll /grant everyone:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ko-kr\shell32.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysWOW64\ko-kr\shell32.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3320
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ko-kr\themecpl.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysWOW64\ko-kr\themecpl.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ko-kr\Display.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\SysWOW64\ko-kr\Display.dll.mui"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s data\Shortcut\MuiCache.reg
    3⤵
    - Modifies data under HKEY_USERS
    - Runs .reg file with regedit
    PID:2424
- - C:\Windows\SysWOW64\mcbuilder.exe
    C:\Windows\System32\mcbuilder.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Prefetch\*.* 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Windows\SysWOW64\shutdown.exe
    SHUTDOWN -R -F -T 00
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3884855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRAR\Rar.txt

Filesize
70KB

MD5
e8ec8d1e5f0e78752a8b82822bb75f76

SHA1
eae3513a3e56e8b99761a0cd44c1f9828e2da293

SHA256
7c1fe0d8f6c802da18aa0f37902c1559a29c5073246e28258eb89f7983aaa643

SHA512
d7b84eb535762ca6b422e2cab59fcc3c02cd07b03ff432f68212aa5c8eac879567ffcb21ed3aacd655d58d18307f9f343df4013a9fbeb5d168184ddd69089ee8

Download Submit
C:\Program Files (x86)\WinRAR\Uninstall.exe

Filesize
117KB

MD5
49799aa663bf45a3c37dd739a5116d81

SHA1
ac088d8134ccbd9d1df3794c16f9778a3d588c56

SHA256
369e163608ecc4edec6a476ae5935b16230210de2f637b1eff03565214277632

SHA512
c525396822b23d4a11866239cdce33aa1c8e5d373f0ccb36a2196e5dcd9a9e5b287caa8aeb542e079b397018a45973c01ab3326a5228d2f607bdbffbd1446cd6

Download Submit
C:\Program Files (x86)\WinRAR\WinRAR.chm

Filesize
309KB

MD5
66a2ed9fa095a68fdbed52151d096bbf

SHA1
49d8a6375078deb929070643dd205b276a77d82c

SHA256
bd58f7952f7e92ef7ae0367f1ec0090473ab4587e27e83d4856c650325bb71da

SHA512
3dc4c603ba044c7fcaa5d4187ffa10952771f5694ca114c69057f99d3fdc56b79647d833285083419842822e64329115a26066866fdd814268d6392689c07c63

Download Submit
C:\Program Files (x86)\WinRAR\WinRAR.exe

Filesize
999KB

MD5
31ae4919723e41ae26a0ca390489c508

SHA1
c36b00ad8bc7486a95935c4fb1bb45a70b4e4f92

SHA256
68937e03154d4957e7280ad29951047509ddbd0a00210570478270a84cc12096

SHA512
bd0c5e32159929ba1b0f966fed8a9d96ffed8ad080c359e65c39705025328627682f3d6ba507a5d1b96f9d5ad72ebdd6e68fd0a021cc39d31f9ac6918ab78a96

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AVERATEC .XRM-MS

Filesize
2KB

MD5
172c78e78366f8dcbe4c4a5546bad60b

SHA1
67022b142bd1a0248206d1d10da3d51f88b4e1ef

SHA256
4a99e456460a326f2659706f031efe268d0dfabfb40f77d84dde6a5ba0e6e664

SHA512
4dc34aad5783835ac64328b9b351af8f1dfa6372ea5403582d62bc48398e5d56a169aef4fcce24e28ec04c64fbee1352ff433645f0e8faae438dd392e15fa6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\IEMaximizer.dll

Filesize
48KB

MD5
8bda56f78a481b0b82cbee68b0e21e6b

SHA1
738c4cac60703a918b7be5f3024b93662f2803e1

SHA256
98d17e31e263dce151255413a73dc8db0d6ba9a3325cc9b243a516caa3b5d7d9

SHA512
8b5426b231bedeffb4e9f7c3896fd5cc56299830e6a6d0975d4b7c211cb1bc14ce48619867baec3a707199f5fd175eed6f6331b34a196d93929480ce100bbbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat

Filesize
18KB

MD5
9c671c46f977dd5967c95d110c022c6e

SHA1
42bafcbe214731c82e5199a7a6b918204ae8874e

SHA256
7088a6d70b9b90638ff569cafcab4f15466f4157e48f59301e266c39fb7981d0

SHA512
14080eccef9103323722d7abe4ad2e17920313ca3763be7238bf20cb76b0f55de64638b71dcff9a971b5b5bdbc0f4392bf214f6e1937c857157ea6cb3be33373

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\REGISTER.reg

Filesize
9KB

MD5
63020cbe973fa1ad07d932f7b1ffe54b

SHA1
43e7cef771362ba633c0f8ef569b42dacb3c8f62

SHA256
ba66da2025be4dfab3ffd08c4b4b2f5bc0511e9d784a993f4e6b9854a98cce3e

SHA512
ee3c135d7e527f9b877e22fbcae20f667511600a1ffd1b11e40ffac032291ee3180480f407f2232689ceebc5d481759a7fe1804e88a6abdc4b1707775eda9dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\AD.cmd

Filesize
958B

MD5
54d60650b4eb2f3ef4e751b08ef7c625

SHA1
9a612c4387eb5ab685f216826ba7d678817291ca

SHA256
6b1b29b19c4b1fde2503aa71f52c46643ad6267d835bbeef4fa2b4178ef50da2

SHA512
e29c6a939eedbaee591f37b65e4658210eab081b752394deb20856e0f9913f5f437ce479a81ee27aea824c06cfec5b4984bc42d25988d2349ada54ae646129f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\BD_Tail.cmd

Filesize
261B

MD5
64f19535d32b3df27bd0e4c8988eb90c

SHA1
79671f917cd93f5d44d5d63458474c433e279648

SHA256
bbe6e8ed9a625ed8364374b92dff3c1dd032177ce797857f851aa081ef1e89ee

SHA512
041d52db4602d446bcc92ce1380ae76e40e2108fac8fe031a46f4eb6cc654af5bdb4e1d5c48fa74bf83bd58b317e316080d91d2782dc412f1c636785163b761c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

Filesize
188KB

MD5
849c3feba650d42a5a7ac46062d59c54

SHA1
a4396db103cd5841915a37a52cc827e90c4c368f

SHA256
623adc6fa585a467cfe67ca27629bf1ae2a9056103f3edcc71ca07fd223b8512

SHA512
a1b6ecfa25d31389dee930fea400ccb7085fbcb52f193d7a8fb768be7ccafe73747a7980caf56de2e1e762f4ef7660fb4659e74dd7288135e77cefa330edaa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask1.xml

Filesize
3KB

MD5
4999ae501e729ed8c34a0f6984b8b83a

SHA1
336f033bce30edcff75a696252ffcc19f368ba5f

SHA256
476ca80be8e0921303fabfa69c941c1c3019754f70eb5f2ab0820af6f4e5d4a3

SHA512
e2060469be064242539c55b6c7dbec22cbdce6d1feaad56ffec3d56b7045fab60df683c06afd54a73c45a5ebe9e1e8b5d1f8e73b897945da941ab3cf08eb8112

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask2.xml

Filesize
3KB

MD5
01027180a6a26c5a2e3bf551f1dc7c44

SHA1
9b01c13025713a3fb00467e3d0176c742240c4f0

SHA256
b2ffd969413c208f1a69812055182506c887c7769794ca686ce68e66a2e87bf6

SHA512
bba113a44768731ad6e6a64839c07d026e03be14359749850bdd9549b9714f0336d6c27bab0d725913f1cbfdfbec694269d224807066ae68a50e1aa66c522f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask3.xml

Filesize
3KB

MD5
a293dbb2f8d2b1cf104cc5069bdc72e0

SHA1
42ef5370901fbac970633f44d11312670a2b4781

SHA256
a0ee763e8ca1a446d13a34cc14348c897b90053903fcf4bc415c6c20ecf3ef99

SHA512
9331f66eccbefc19b66bd983bf26c830901a9bb5ca33fbeeb821fc36c1722484cf9301e0d732133738b134461c537bd4a350fbf2d4be5ea07bb668cff389b4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask4.xml

Filesize
3KB

MD5
a34211b7e172d80ac6db1d1ab87fbb6d

SHA1
a7979e0a0d2122430081c4a06d73526095b54580

SHA256
bdd78e2045f43717423b66a338b0a5815359c13eedca5a6a70b79c3440682689

SHA512
d0285a77f7dc2042f49da61ba0d3d336024375d43b0b64bdc3e94ce47ba96b9b415ddcd90da43fd99381a0f3082f6f418e47163b1d683dd062e006eb82c263b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\TD.cmd

Filesize
395B

MD5
bdad2ade38f1dc5981087777b338e327

SHA1
0699e002c935d9b46df7a35bc8f0ec8b031e1027

SHA256
892d46ea5fd5547fa057fbbc09ef7ea8eca66d513cb80652310d9524b95dfc3f

SHA512
98c5a1c0f1aa9f5255034a8d34e45a6a913e53f704dc185c7032933b8f9af0eec7bca87b5b806103bc84b62aaebc15f92efccc1c44bcc93a5eb2d3ccc9018d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\slmgr.vbs

Filesize
107KB

MD5
574e64a8373ee84bef032e205725527e

SHA1
4e3f5b2f3330f3735cd019f764ef856f5208ac13

SHA256
f188be045a388b2c028592cd61399d6d082099c35c05b620e396faa5a20ff04a

SHA512
dad8d2a1e6ba7d9c0bb447dba365b3d41c09925b1bb5566dd9ac7ab9fcfea4c4e906ef0d01c7666e2b8f85249281d3cb08b34f518b799670d2203eeb08a1b857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\sppcomapi.dll

Filesize
1024B

MD5
69d9d1785ec1f5032538f2696210e2e2

SHA1
7dacc1c0fb5ca9e92fc1fcd90a23d74b75042c00

SHA256
444d4dfb574dcc145067b19763befd65d0e6ad9a7bb1423c92ef4ff4f6638145

SHA512
82839d76bc10dbc8849fc3879b3c776e218ed4d8496a40226116aa64798bdac41173a2dada4cc4478776c82af69cc5de541cd71fdc03eeb0301768dec0ef9e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\systemcpl.dll

Filesize
410KB

MD5
911eb55f9f74a6383983e0a6a8a2772d

SHA1
5f40c2e1ff4e6a544ed160b355b6673925d66741

SHA256
3ab580c2f8d5588ced041a96b686c88987f8217283066e408d5092f0eac7c079

SHA512
0cec6c11552936c9af72b9eb8ac7d12abfde1caea99471e421375926705a4427df4727b0645663c6a267d2957ad741e29c5f74950bfa6adeaf1754eb061b390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\user32.dll

Filesize
985KB

MD5
e573bd9ab55c8e333c202b9e255f972e

SHA1
460bde795885134b48465dc73797db695af33e1f

SHA256
79bec0da770265d1a525330b2e732e055edde617bcc2848c2742492f9dbc881e

SHA512
bcae097591cbc66e20771ef69e6544e5f951e0821b8d2a4779e524c542e5ad1d75ff683a15a76f5577e1e1389f4058cd36da7d0c785c504b2305cc144dc7b4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\winver.EXE

Filesize
12KB

MD5
7941f0c4bd4004269b268e66752dac9b

SHA1
6accf1d9b5981eb12a22c530c3d37be9ca54c415

SHA256
06c59055bd2d5bc2fc1950abb377b0aa33f74d8faab3ee074d54a2f8a93e38d2

SHA512
c8a720341ffeb39939d18c7d9f1c298554db5768d34bb24bfdf6f9f66ddbfb1884b7b20c30229cacc674856acf032081d55be4738bd7be7e1acbd781b25272a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Option\Prefetch1.reg

Filesize
582B

MD5
f2e7e95075c04b3bec89118952aeacf9

SHA1
669fcdbe70dced5524c91b631d7241b9ec0e1d8d

SHA256
a568d9604a56f35a3726636cd33c69ad48f607f55744565ba613addc432f1165

SHA512
a3121c0ea0afdae0a231df264745f90ae7660107ff24145e87d722a61b8497bdffc45cb9e2f13e4b5c0e96f577ac08b105a57015b14f8cc8575343d341776b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\MuiCache.reg

Filesize
862B

MD5
91bd16ffa806694171e89ce6bf40ce5f

SHA1
4d776c6e5b565a2002f8559f77b5320fa8420b72

SHA256
06b91106a4169ee981a38915e694b6409f7c8cf11fef3ee845d218c32d71e509

SHA512
c9ed43ad2d7b0c7373fab8f14bf3a50b8541d730598cda4ef6af36724ed6a65ae2e5a81567de196f30f90b073a48ac61b3fc72ca14908f63a45092f33e48e61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui

Filesize
10KB

MD5
7e74f142b1aaca35c3c6cf28b6a40b86

SHA1
5fb838b42fd9268f95769a301ea214519f144768

SHA256
3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8

SHA512
c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui

Filesize
10KB

MD5
827d5f1094f6fb7ac4252dbeb193e9e9

SHA1
10e3b1eb59cdda5aa79f5d78dfc5269d1c8c15c3

SHA256
a6fd479ff612d294eb72597f434aed310ae06a6226de49368af077fe843a0bff

SHA512
717ca7697c66c94d1874fae1202db37a2269a63df0235705def1e05289a2f56c400d0f55ae68333aa3386e2625857f844d38cf9eadea09850da36287cb5d18a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111\shell32.dll.mui

Filesize
288KB

MD5
1ffdf30fd8c8a747fd9add1497530072

SHA1
63954a4f3703a07e126a4dc345ac6ea1ac090d77

SHA256
7dc85b3a6324c3b5ad8b5b6be9ffb87b7cf15c6f0b0ff2376a8fa1242e791208

SHA512
99729dc858d885c258af44ad3492456644eb84ce0a772137ce1a9d4ca0e5765eb1d5d49351c943e4e21456f9a5775404effdc5649a8cc53e4c972d5b05be0961

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui

Filesize
9KB

MD5
c6e7e1674fd77fe944dc40ccf5fb8ab3

SHA1
70dfa87edeb19f11a4f8c423a32749c43df580b1

SHA256
9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78

SHA512
fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb\shell32.dll.mui

Filesize
288KB

MD5
6bbc2ca29605dc83bd8f86eee2a98539

SHA1
1e0c4b316426be15c289c1a9e486e9b3e3095f0e

SHA256
e037bafa4dcca2f458b91bbbb1b6eae0604c0ab89d2622dabcf06c8c2328887f

SHA512
9fc7139eef0a35f3c754251871b512d2fdf5f063ded8171f7a27fef0b465d0396437c04506c210adc3d82b2a1b8604e766220957aa5a09792c25e96ef352a6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui

Filesize
9KB

MD5
f7f931c5ac61c58a794b1cc7b064e095

SHA1
84adfebd384a8c0821188d0c724469835fe7f574

SHA256
a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5

SHA512
819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x86\System32\ko-KR\shell32.dll.mui

Filesize
288KB

MD5
388ab00bc5a69f77f6ed8d1fd8ace855

SHA1
549b86c3087e98c13cb7cf4b7e718c6fbb8e92cb

SHA256
beeb3badd1b569dbcf601d5cd02527c8a57ede2c5a9f6d42e1a6d02f8cb1c12e

SHA512
bf3319ffd33c6a6483351496382792129f5f23acaf55a9a380b056860913a2eb5957e4f9dd842972e0d15e0e18f6846ac0618df71362ac501036ad0c7dd6cec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe

Filesize
1.9MB

MD5
128ada8119b4f860e1aca1891e8abde2

SHA1
f4ec0e95099e354fd01cd3bb27c202f54932dc70

SHA256
016b77d19d9fde6f7d5b477eb7008df80c51ff02acb5f950c986e45a0c2a78d3

SHA512
33df2213fb8580fa2f377f0f9a5d8c526a0e018998bd64e85a0b3db6aedc5536224b87097e8af75f3845e45ce0032174f08346b154e5de94578cfbfba9c4375f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rarreg.key

Filesize
509B

MD5
a508f08707b56a83b2e17c88694cf9f6

SHA1
eb767de79732e94769d146ddd70dbd94db390ab5

SHA256
510929488b7ef3827fde8860369cd867b2b02d48c7e4bbb86db48eb833bcee4a

SHA512
45a0b54bbd5281a9e392aa051c5e601e015496da4f4c5aef841e9eb10bbee03dbec88f3d6c901f29f5962fb05cd16efdd7cb19fa6bd99718a6e57cf77b8af83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe

Filesize
1.4MB

MD5
9fd58d13b4543c52685d4f77bebb34c1

SHA1
9b227de95bfbf859abeb22502a447948f2e6f5ac

SHA256
7548334ef0a06989c22003af8a9bfd9a74e8026fa422bbc7dfeddc42d2221712

SHA512
f580500c0154f606bed5a914ec86ebbe72c0064892c980ee8e9d65b53ea5e37da9523616901c168846aca91f4b7ce4cf5a30bd67406c739939b8bbc9f3ef930e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC248.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC248.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC248.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC248.tmp\fpinstall.dll

Filesize
8KB

MD5
071b6233c92f69ffa1c24243328c3b94

SHA1
bb583c00e87cdc65e6254c7148d37afc1bbb3095

SHA256
5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43

SHA512
7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

Download Submit
C:\Windows\N7\BD.cmd

Filesize
320B

MD5
cb0823d95a1cdd8a890b050ad4a3262a

SHA1
76bf7ef7222845c94393c97059c71e5a770f01f9

SHA256
84be43ad5a1f4d0166767bebd028fa0b8cb465fbf4765c59b3757e8f7753967a

SHA512
90f1deeb9f26c3b74a2cb65e54548397e84968c23af7796484ecc4a045d3886bddd8dff67adce68a056dc6b860eac686115aa33bea47ae9e90ec4ca670678ce7

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx

Filesize
3.8MB

MD5
3e5c5ed3eaec55aba27f68440360ae05

SHA1
af372129cd7e6fa3b99cd5b6ebfba034afc8de65

SHA256
57937c093124bd488a449d855076a5bd359ecf9ded8533838833032e7efaca45

SHA512
5d484bce66eda05b545a161c82b848403b11801399d6ac3475e504e593d1d3a8eb7107180454f6cf02b1e7092ba506c322a6931c22508ce22d9a24db74603361

Download Submit
C:\Windows\SysWOW64\ko-KR\shell32.dll.mui

Filesize
288KB

MD5
444db064085de7b71826643b2f8ef0b9

SHA1
6474c58ed7f3da30519278c3667a6d7ee8f7cfb0

SHA256
e47fa18abeb6f74fc1ea233d0bc5ab9687a33db3f1294936be7fdf7244a917b6

SHA512
4fc14d8342736e39d96c195e5c3db3ff74e40b64523641a0eb19e710b49a3a9adcda327f294365cf511a0689d80b9d888b6d5a8b9efa0b523600a4263440f86f

Download Submit
C:\Windows\Temp\26140.tmp

Filesize
1.6MB

MD5
5870ea0d6ba8dd6e2008466bdd00e0f4

SHA1
d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5

SHA256
5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d

SHA512
0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

Download Submit
memory/2132-439-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-505-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2132-503-0x0000000077A20000-0x0000000077BC0000-memory.dmp

Filesize
1.6MB

Download
memory/2132-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2132-601-0x0000000077A20000-0x0000000077BC0000-memory.dmp

Filesize
1.6MB

Download
memory/2132-604-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2132-603-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads