Analysis
-
max time kernel
63s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 15:29
Behavioral task
behavioral1
Sample
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe
Resource
win10v2004-20241007-en
General
-
Target
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe
-
Size
6.1MB
-
MD5
02bec9d86e4839199a60b334dd650e60
-
SHA1
8f86b49725abfae4c201654f3aa43ec0041cea39
-
SHA256
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82
-
SHA512
660d932f4b2fe56d175ba3c2823a0501d13e29876766a57bd4df5b345177887b48fb9eedcf0c3929cca509f49a2bb189395e82c2418fa6e8834e0a2f79425243
-
SSDEEP
196608:iLmGZT4llVN1apVkFGT5KSPNOe7mBuyQzh:iyST4TlIGWK+N0BnQzh
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe," swreg.3XE -
Modifies security service 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k LocalServiceNetworkRestricted" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath = "%systemroot%\\system32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters\ServiceDll = "%systemroot%\\system32\\wuaueng.dll" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters\ServiceDllUnloadOnStop = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\DelayedAutoStart = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Enum\0 = "Root\\LEGACY_WSCSVC\\0000" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ServiceSidType = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DisplayName = "@%ProgramFiles%\\Windows Defender\\MsMpRes.dll,-103" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName = "NT AUTHORITY\\LocalService" regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\FailureActions = 805101000000000000000000030000001400000001000000c0d4010001000000e09304000000000000000000 regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "2" regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService = 520070006300530073000000770069006e006d0067006d00740000000000 regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName = "LocalSystem" regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\ErrorControl = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k secsvcs" regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\RequiredPrivileges = 5300650049006d0070006500720073006f006e00610074006500500072006900760069006c006500670065000000530065004200610063006b0075007000500072006900760069006c0065006700650000005300650052006500730074006f0072006500500072006900760069006c0065006700650000005300650044006500620075006700500072006900760069006c006500670065000000530065004300680061006e00670065004e006f007400690066007900500072006900760069006c0065006700650000005300650053006500630075007200690074007900500072006900760069006c00650067006500000053006500530068007500740064006f0077006e00500072006900760069006c0065006700650000005300650049006e00630072006500610073006500510075006f0074006100500072006900760069006c00650067006500000053006500410073007300690067006e005000720069006d0061007200790054006f006b0065006e00500072006900760069006c0065006700650000000000 regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Enum\Count = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Description = "@%ProgramFiles%\\Windows Defender\\MsMpRes.dll,-1176" regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\FailureActions = 80510100000000000000000003000000140000000100000060ea000000000000000000000000000000000000 regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DisplayName = "@%SystemRoot%\\System32\\wscsvc.dll,-200" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Description = "@%systemroot%\\system32\\wuaueng.dll,-106" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type = "32" regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService = 7200700063007300730000000000 regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Type = "32" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\ServiceSidType = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DelayedAutoStart = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters\ServiceDllUnloadOnStop = "1" regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters\ServiceDll = "%SYSTEMROOT%\\system32\\wscsvc.dll" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Enum\NextInstance = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\DisplayName = "@%systemroot%\\system32\\wuaueng.dll,-105" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters\ServiceDll = "%ProgramFiles%\\Windows Defender\\mpsvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters\ServiceMain = "WUServiceMain" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters\ServiceDllUnloadOnStop = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName = "LocalSystem" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "2" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ServiceSidType = "1" regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\RequiredPrivileges = 5300650041007500640069007400500072006900760069006c0065006700650000005300650043007200650061007400650047006c006f00620061006c00500072006900760069006c006500670065000000530065004300720065006100740065005000610067006500460069006c006500500072006900760069006c00650067006500000053006500540063006200500072006900760069006c00650067006500000053006500410073007300690067006e005000720069006d0061007200790054006f006b0065006e00500072006900760069006c0065006700650000005300650049006d0070006500720073006f006e00610074006500500072006900760069006c0065006700650000005300650049006e00630072006500610073006500510075006f0074006100500072006900760069006c00650067006500000053006500530068007500740064006f0077006e00500072006900760069006c0065006700650000000000 regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges = 530065004300680061006e00670065004e006f007400690066007900500072006900760069006c0065006700650000005300650049006d0070006500720073006f006e00610074006500500072006900760069006c0065006700650000000000 regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DelayedAutoStart = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Description = "@%SystemRoot%\\System32\\wscsvc.dll,-201" regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\DependOnService = 5200700063005300730000000000 regedit.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\FailureActions = 80510100000000000000000003000000140000000100000060ea00000100000060ea00000000000000000000 regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\PreshutdownTimeout = "57600000" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\ObjectName = "LocalSystem" regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Enum regedit.exe -
Xred family
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/files/0x000400000001caec-358.dat Nirsoft -
Disables RegEdit via registry modification 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" PEV.3XE Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" pev.3XE Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" pev.3XE Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "0" PEV.3XE -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP113.SYS handle64.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PEV.3XE PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.exe PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTRACT.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FIND.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSCRIPT.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\handle.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TAIL.COM pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sf.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GREP.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CTFMON.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GREP.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SF.3XE PEV.3XE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Apitrap.dll = "1" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SED.3XE pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.3XE pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe PEV.3XE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEInstal.exe\ExecuteOptions = "0" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsar.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NIRCMD.EXE pev.3XE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\divxdec.ax = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sf.3XE pev.3XE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\jvm.dll = "1" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATCHME.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REGT.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TAIL.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTRUI.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\catchme.exe pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.3XE PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extract.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MTEE.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PEV.EXE PEV.3XE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\udtapi.dll = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\handle.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HANDLE.3XE PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sed.3XE pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\erdnt.exe pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PEV.3XE pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\erdnt.exe PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTRACT.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FDSV.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HIDEC.EXE PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Findstr.exe pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOVEEX.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWSC.3XE pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUMPHIVE.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RESTARTIT.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWSC.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\vb40032.dll = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expand.exe PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\groove.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.3XE pev.3XE -
Server Software Component: Terminal Services DLL 1 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Parameters\ServiceDll = "%SystemRoot%\\system32\\cryptsvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\lmhosts\Parameters\ServiceDll = "%SystemRoot%\\System32\\lmhsvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\seclogon\Parameters\ServiceDll = "%windir%\\system32\\seclogon.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters\ServiceDll = "%ProgramFiles%\\Windows Defender\\mpsvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "%SystemRoot%\\System32\\appmgmts.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Browser\Parameters\ServiceDll = "%SystemRoot%\\System32\\browser.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters\ServiceDll = "%systemroot%\\system32\\wuaueng.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\Parameters\ServiceDll = "winhttp.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDll = "%SystemRoot%\\system32\\wbem\\WMIsvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\W32Time\Parameters\ServiceDll = "%systemroot%\\system32\\w32time.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters\ServiceDll = "%SystemRoot%\\System32\\srvsvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nsi\Parameters\ServiceDll = "%systemroot%\\system32\\nsisvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Parameters\ServiceDll = "%SystemRoot%\\System32\\ipsecsvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters\ServiceDll = "%SYSTEMROOT%\\system32\\wscsvc.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hidserv\Parameters\ServiceDll = "%SystemRoot%\\System32\\hidserv.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PcaSvc\Parameters\ServiceDll = "%SystemRoot%\\System32\\pcasvc.dll" regedit.exe -
Sets service image path in registry 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath = "%systemroot%\\system32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k LocalService" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k LocalService" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP113\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP113.SYS" handle64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ALG\ImagePath = "%SystemRoot%\\System32\\alg.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanServer\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "%SystemRoot%\\System32\\spoolsv.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AsyncMac\ImagePath = "system32\\DRIVERS\\asyncmac.sys" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\COMSysApp\ImagePath = "%SystemRoot%\\system32\\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\lmhosts\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k LocalServiceNetworkRestricted" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AFD\ImagePath = "\\SystemRoot\\system32\\drivers\\afd.sys" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k NetworkService" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k LocalServiceNetworkRestricted" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Browser\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BridgeMP\ImagePath = "system32\\DRIVERS\\bridge.sys" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k NetworkServiceNetworkRestricted" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath = "%windir%\\system32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ImagePath = "%systemroot%\\system32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wdf01000\ImagePath = "system32\\drivers\\Wdf01000.sys" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k secsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath = "%SystemRoot%\\system32\\lsass.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tdx\ImagePath = "system32\\DRIVERS\\tdx.sys" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ws2ifsl\ImagePath = "\\SystemRoot\\system32\\drivers\\ws2ifsl.sys" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k netsvcs" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nsi\ImagePath = "%systemroot%\\system32\\svchost.exe -k LocalService" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PcaSvc\ImagePath = "%systemroot%\\system32\\svchost.exe -k LocalSystemNetworkRestricted" regedit.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 64 IoCs
pid Process 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 2896 Synaptics.exe 2888 ._cache_Synaptics.exe 676 ERUNT.3XE 2948 PEV.3XE 840 iexplore.exe 2120 iexplore.exe 600 PEV.3XE 2692 iexplore.exe 1636 iexplore.exe 2396 iexplore.exe 292 iexplore.exe 2100 iexplore.exe 1808 iexplore.exe 2392 swxcacls.3XE 1648 gsar.3XE 2156 swreg.3XE 1792 swreg.3XE 1828 swreg.3XE 1280 swreg.3XE 1760 swsc.3XE 884 grep.3XE 824 sed.3XE 2064 pev.3XE 1948 grep.3XE 1708 pev.3XE 236 setpath.3XE 2608 grep.3XE 2652 Hidec.3XE 2616 Hidec.3XE 2820 cmd.3XE 676 pev.3XE 2932 swreg.3XE 1748 swreg.3XE 1744 grep.3XE 1724 NirCmd.3XE 1640 swreg.3XE 1752 grep.3XE 576 pev.3XE 1356 hidec.3XE 2772 pev.3XE 2840 grep.3XE 560 NirCmd.3XE 2084 pev.3XE 1720 swreg.3XE 2140 swreg.3XE 1780 swreg.3XE 1536 swreg.3XE 392 swreg.3XE 856 swsc.3XE 2480 grep.3XE 292 swreg.3XE 1984 swreg.3XE 2400 swreg.3XE 916 sed.3XE 2392 sed.3XE 2692 grep.3XE 2156 pev.3XE 1280 pev.3XE 2556 swreg.3XE 868 sed.3XE 1576 pev.3XE 1124 swreg.3XE 2076 swreg.3XE -
Impair Defenses: Safe Mode Boot 1 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" PEV.3XE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" pev.3XE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys pev.3XE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart pev.3XE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys PEV.3XE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" PEV.3XE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" pev.3XE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys PEV.3XE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" PEV.3XE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys swreg.3XE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" swreg.3XE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart\ = "Service" pev.3XE Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" PEV.3XE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart PEV.3XE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart pev.3XE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys\ = "Driver" pev.3XE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PEVSystemStart PEV.3XE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\procexp90.Sys pev.3XE -
Loads dropped DLL 64 IoCs
pid Process 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 2896 Synaptics.exe 2896 Synaptics.exe 2888 ._cache_Synaptics.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 2120 iexplore.exe 2120 iexplore.exe 2120 iexplore.exe 2120 iexplore.exe 2120 iexplore.exe 2120 iexplore.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 2616 Hidec.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2924 handle.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE 2820 cmd.3XE -
Modifies system executable filetype association 2 TTPs 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command PEV.3XE -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX PEV.3XE Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCEEX pev.3XE Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE pev.3XE Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE pev.3XE -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File created C:\32788R22FWJFW\desktop.ini ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe File opened for modification C:\32788R22FWJFW\desktop.ini attrib.exe File opened for modification C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\desktop.ini CF30165.3XE -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FIND.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTRUI.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDSTR.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSCRIPT.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZIP.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOVEEX.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FIND.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GSAR.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CHCP.COM pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SF.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWREG.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PEV.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REGEDIT.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATTRIB.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOVEEX.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONHOST.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXPAND.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ROUTE.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FDSV.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SED.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CTFMON.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CSCRIPT.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWSC.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NIRCMD.COM pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDSTR.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSEXEC.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTRACT.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HANDLE.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RUNDLL32.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LISTDLLS.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REGT.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PEV.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RESTARTIT.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XCOPY.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEInstal.exe regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXPAND.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXPAND.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NIRCMD.COM PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GREP.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATCHME.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUMPHIVE.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REG.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PEV.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONHOST.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATTRIB.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RUNDLL32.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATTRIB.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GREP.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REGEDIT.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REGT.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\REG.EXE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWXCACLS.3XE PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CHCP.COM pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWXCACLS.3XE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.EXE pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CHCP.3XE PEV.3XE -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral1/files/0x0007000000012117-4.dat upx behavioral1/memory/3028-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2888-52-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2888-65-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3028-289-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3028-290-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a0b3-306.dat upx behavioral1/memory/3028-472-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3028-639-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Drops file in Windows directory 20 IoCs
description ioc Process File created C:\Windows\erdnt\Hiv-backup\ERDNT.CON ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\BCD ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\SECURITY ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\SAM ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\ERDNT.EXE ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\ERDNTWIN.LOC ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\ERDNTDOS.LOC ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\ERDNT.INF ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\SOFTWARE ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\DEFAULT ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT ERUNT.3XE File opened for modification C:\Windows\erdnt\Hiv-backup\ERDNT.EXE ERUNT.3XE File opened for modification C:\Windows\erdnt\Hiv-backup\ERDNTWIN.LOC ERUNT.3XE File opened for modification C:\Windows\erdnt\Hiv-backup\ERDNTDOS.LOC ERUNT.3XE File created C:\Windows\erdnt\Hiv-backup\SYSTEM ERUNT.3XE File created C:\Windows\NIRCMD.exe CF30165.3XE File opened for modification C:\Windows\NIRCMD.exe CF30165.3XE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swsc.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NirCmd.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidec.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swxcacls.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swxcacls.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NirCmd.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pev.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PV.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pev.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NirCmdC.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swxcacls.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NIRCMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language handle.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NIRCMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidec.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\control\nls\language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hidec.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NircmdB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gsar.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setpath.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swreg.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grep.3XE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2104 swxcacls.3XE 2136 hidec.3XE 3000 PING.3XE 2444 ComboFix-Download.3XE 2744 grep.3XE 1272 pev.3XE 3008 PING.exe 1244 PV.3XE 880 PV.3XE 2772 sed.3XE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\control panel\international swreg.3XE -
Modifies data under HKEY_USERS 26 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19 ERUNT.3XE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" PEV.3XE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" PEV.3XE Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor pev.3XE Key created \REGISTRY\USER\.default\control panel\international swreg.3XE Key created \REGISTRY\USER\.DEFAULT ERUNT.3XE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor PEV.3XE Key deleted \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce regedit.exe Key deleted \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunServices regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" pev.3XE Set value (int) \REGISTRY\USER\.DEFAULT\Console\CodePage = "1252" swreg.3XE Key created \REGISTRY\USER\S-1-5-20 ERUNT.3XE Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit.exe Key deleted \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run regedit.exe Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunServices regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor pev.3XE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor\EnableExtensions = "1" pev.3XE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor PEV.3XE Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices regedit.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices regedit.exe Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run regedit.exe Key deleted \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce regedit.exe Key created \REGISTRY\USER\.DEFAULT\Console swreg.3XE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce regedit.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command\ = "%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,OpenAs_RunDLL %1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\telnet\shell\open\command\ = "\"%SystemRoot%\\System32\\rundll32.exe\" \"%SystemRoot%\\System32\\url.dll\",TelnetProtocolHandler %l" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.3XE ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3XEfile\shell\open\command\ = "\"%1\" %*" pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3XEfile\shell\open ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\telnet\shell\open\command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command PEV.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile" pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3XEfile\shell\open\command pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cfexe pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler pev.3XE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cfexefile pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\shellnew regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "%SystemRoot%\\System32\\InfDefaultInstall.exe \"%1\"" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3XEfile\shell\open\command\ = "\"%1\" %*" ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\DefaultIcon regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile" PEV.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3XEfile\shell\open\command\ = "\"%1\" %*" pev.3XE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "piffile" pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfxxefile PEV.3XE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3008 PING.exe -
Runs regedit.exe 2 IoCs
pid Process 1104 regedit.exe 1684 regedit.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2668 EXCEL.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 14 IoCs
pid Process 2392 swxcacls.3XE 1648 gsar.3XE 2156 swreg.3XE 1792 swreg.3XE 1828 swreg.3XE 1280 swreg.3XE 1760 swsc.3XE 884 grep.3XE 2064 pev.3XE 824 sed.3XE 1948 grep.3XE 1708 pev.3XE 236 setpath.3XE 2608 grep.3XE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2396 iexplore.exe 2396 iexplore.exe 2396 iexplore.exe 2396 iexplore.exe 2396 iexplore.exe 2396 iexplore.exe 2396 iexplore.exe 2396 iexplore.exe 1636 iexplore.exe 1636 iexplore.exe 1636 iexplore.exe 1636 iexplore.exe 1636 iexplore.exe 1636 iexplore.exe 1636 iexplore.exe 1636 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 292 iexplore.exe 292 iexplore.exe 292 iexplore.exe 292 iexplore.exe 292 iexplore.exe 292 iexplore.exe 292 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe 2692 iexplore.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2944 handle64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeBackupPrivilege 676 ERUNT.3XE Token: SeDebugPrivilege 2396 iexplore.exe Token: SeDebugPrivilege 1636 iexplore.exe Token: SeDebugPrivilege 2100 iexplore.exe Token: SeDebugPrivilege 292 iexplore.exe Token: SeDebugPrivilege 2692 iexplore.exe Token: SeDebugPrivilege 1808 iexplore.exe Token: SeSecurityPrivilege 2392 swxcacls.3XE Token: SeDebugPrivilege 2692 iexplore.exe Token: SeSecurityPrivilege 2156 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE Token: SeTakeOwnershipPrivilege 1792 swreg.3XE Token: SeRestorePrivilege 1792 swreg.3XE Token: SeSecurityPrivilege 1792 swreg.3XE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2668 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 3028 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 30 PID 1860 wrote to memory of 3028 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 30 PID 1860 wrote to memory of 3028 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 30 PID 1860 wrote to memory of 3028 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 30 PID 1860 wrote to memory of 3028 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 30 PID 1860 wrote to memory of 3028 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 30 PID 1860 wrote to memory of 3028 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 30 PID 1860 wrote to memory of 2896 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 31 PID 1860 wrote to memory of 2896 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 31 PID 1860 wrote to memory of 2896 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 31 PID 1860 wrote to memory of 2896 1860 6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 31 PID 2896 wrote to memory of 2888 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2888 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2888 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2888 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2888 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2888 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2888 2896 Synaptics.exe 32 PID 3028 wrote to memory of 676 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 36 PID 3028 wrote to memory of 676 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 36 PID 3028 wrote to memory of 676 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 36 PID 3028 wrote to memory of 676 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 36 PID 3028 wrote to memory of 2948 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 37 PID 3028 wrote to memory of 2948 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 37 PID 3028 wrote to memory of 2948 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 37 PID 3028 wrote to memory of 2948 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 37 PID 3028 wrote to memory of 840 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 39 PID 3028 wrote to memory of 840 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 39 PID 3028 wrote to memory of 840 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 39 PID 3028 wrote to memory of 840 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 39 PID 3028 wrote to memory of 2120 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 40 PID 3028 wrote to memory of 2120 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 40 PID 3028 wrote to memory of 2120 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 40 PID 3028 wrote to memory of 2120 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 40 PID 840 wrote to memory of 600 840 iexplore.exe 41 PID 840 wrote to memory of 600 840 iexplore.exe 41 PID 840 wrote to memory of 600 840 iexplore.exe 41 PID 840 wrote to memory of 600 840 iexplore.exe 41 PID 2120 wrote to memory of 2692 2120 iexplore.exe 43 PID 2120 wrote to memory of 2692 2120 iexplore.exe 43 PID 2120 wrote to memory of 2692 2120 iexplore.exe 43 PID 2120 wrote to memory of 2692 2120 iexplore.exe 43 PID 2120 wrote to memory of 1636 2120 iexplore.exe 44 PID 2120 wrote to memory of 1636 2120 iexplore.exe 44 PID 2120 wrote to memory of 1636 2120 iexplore.exe 44 PID 2120 wrote to memory of 1636 2120 iexplore.exe 44 PID 2120 wrote to memory of 2396 2120 iexplore.exe 45 PID 2120 wrote to memory of 2396 2120 iexplore.exe 45 PID 2120 wrote to memory of 2396 2120 iexplore.exe 45 PID 2120 wrote to memory of 2396 2120 iexplore.exe 45 PID 2120 wrote to memory of 2100 2120 iexplore.exe 46 PID 2120 wrote to memory of 2100 2120 iexplore.exe 46 PID 2120 wrote to memory of 2100 2120 iexplore.exe 46 PID 2120 wrote to memory of 2100 2120 iexplore.exe 46 PID 2120 wrote to memory of 292 2120 iexplore.exe 47 PID 2120 wrote to memory of 292 2120 iexplore.exe 47 PID 2120 wrote to memory of 292 2120 iexplore.exe 47 PID 2120 wrote to memory of 292 2120 iexplore.exe 47 PID 2120 wrote to memory of 1808 2120 iexplore.exe 48 PID 2120 wrote to memory of 1808 2120 iexplore.exe 48 PID 2120 wrote to memory of 1808 2120 iexplore.exe 48 PID 2120 wrote to memory of 1808 2120 iexplore.exe 48 PID 3028 wrote to memory of 2316 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 55 PID 3028 wrote to memory of 2316 3028 ._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe 55 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer PEV.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pev.3XE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pev.3XE -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2872 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"C:\Users\Admin\AppData\Local\Temp\6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\32788R22FWJFW\ERUNT.3XE"C:\32788R22FWJFW\ERUNT.3XE" "C:\Windows\erdnt\Hiv-backup" SYSREG CURUSER OTHERUSERS /NOCONFIRMDELETE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
C:\32788R22FWJFW\PEV.3XEC:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.reg3⤵
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:2948
-
-
C:\32788R22FWJFW\EN-US\iexplore.exeC:\32788R22FWJFW\EN-US\iexplore.exe /w C:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.reg3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\32788R22FWJFW\PEV.3XEC:\32788R22FWJFW\PEV.3XE RIMPORT C:\32788R22FWJFW\EXE.reg4⤵
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:600
-
-
-
C:\32788R22FWJFW\iexplore.exeC:\32788R22FWJFW\iexplore.exe Script C:\32788R22FWJFW\Nirscript.dat3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -s450000-1400000 -t!k -t!o -t!g -k C:\*.exe and not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -k { "C:\ProgramData\*" or "C:\Users\Admin\*" } not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -k "C:\Users\Admin\AppData\Local\Temp\*" not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -rk { "C:\Program Files (x86)\*" OR "C:\Program Files (x86)\Common Files\*" } not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -loadline:C:\32788R22FWJFW\License\UnxUtilsDist.pif and not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292
-
-
C:\32788R22FWJFW\License\iexplore.exeC:\32788R22FWJFW\License\iexplore.exe -loadline:C:\32788R22FWJFW\License\UnxUtilsDist.com and not { "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" or C:\32788R22FWJFW\* }4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C C:\Windows\SysNative\cmd.exe /c C:\32788R22FWJFW\fl0.bat3⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\system32\cmd.exeC:\Windows\SysNative\cmd.exe /c C:\32788R22FWJFW\fl0.bat4⤵PID:2956
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS "C:\Windows\system32\cmd.exe" /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\32788R22FWJFW\gsar.3XEGSAR -if -s\:000M:000i:000c:000r:000o -r\:001M:000i:000c:000r:000o "C:\Windows\system32\cmd.exe" cmd.3XE5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1648
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /DA:R /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /RESET /Q5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Command Processor" /RESET /Q5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1828
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1280
-
-
C:\32788R22FWJFW\swsc.3XESWSC QUERY BFE5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1760
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fsq "STATE : 4 RUNNING"5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:884
-
-
C:\32788R22FWJFW\pev.3XEPEV -tx40000 -t!g -rtf -tpmz -c##y#b#z# \Services.exe5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2064
-
-
C:\32788R22FWJFW\sed.3XESED -r "/(0x0.*)\t\1/d"5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:824
-
-
C:\32788R22FWJFW\grep.3XEGREP .5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1948
-
-
C:\32788R22FWJFW\pev.3XEPEV -tf -tpmz -t!o C:\Windows\Installer\*000*.? -preg"C:\\Windows\\Installer\\\{[^\\]*\}\\U\\[^\\]*\..$"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1708
-
-
C:\32788R22FWJFW\setpath.3XESETPATH5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:236
-
-
C:\32788R22FWJFW\grep.3XEGREP -sq . ZAFldr00.dat5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2608
-
-
-
-
C:\32788R22FWJFW\Hidec.3XEC:\32788R22FWJFW\Hidec.3XE C:\Windows\Sysnative\cmd.exe /c REGEDIT.EXE /S C:\32788R22FWJFW\W7Reg.dat3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /c REGEDIT.EXE /S C:\32788R22FWJFW\W7Reg.dat4⤵PID:1444
-
C:\Windows\regedit.exeREGEDIT.EXE /S C:\32788R22FWJFW\W7Reg.dat5⤵
- Modifies security service
- Event Triggered Execution: Image File Execution Options Injection
- Server Software Component: Terminal Services DLL
- Sets service image path in registry
- Modifies system executable filetype association
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs regedit.exe
PID:1104
-
-
-
-
C:\32788R22FWJFW\Hidec.3XEC:\32788R22FWJFW\Hidec.3XE C:\32788R22FWJFW\cmd.3XE /C C:\32788R22FWJFW\p.cmd3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2616 -
C:\32788R22FWJFW\cmd.3XEC:\32788R22FWJFW\cmd.3XE /C C:\32788R22FWJFW\p.cmd4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\32788R22FWJFW\pev.3XEPEV.3XE RIMPORT C:\32788R22FWJFW\EXE.reg5⤵
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:676
-
-
C:\32788R22FWJFW\swreg.3XESWREG.3XE QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control" /v ActiveService5⤵
- Executes dropped EXE
PID:2932
-
-
C:\32788R22FWJFW\swreg.3XESWREG.3XE QUERY "HKLM\SYSTEM\CurrentControlSet\Enum\Root"5⤵
- Executes dropped EXE
PID:1748
-
-
C:\32788R22FWJFW\grep.3XEGREP.3XE -Eix "HKEY_.*\\root\\\*PNP[^\\]*" PNP296_005⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\32788R22FWJFW\NirCmd.3XENIRCMD.3XE WIN CLOSE CLASS "#32770"5⤵
- Executes dropped EXE
PID:1724
-
-
C:\32788R22FWJFW\swreg.3XESWREG.3XE QUERY "HKLM\System\Currentcontrolset\Control\ProductOptions" /v ProductType5⤵
- Executes dropped EXE
PID:1640
-
-
C:\32788R22FWJFW\grep.3XEGREP.3XE -isq "ProductType.*WinNT" WinNT005⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\32788R22FWJFW\pev.3XEPEV -c##g# "C:\Windows\system32\kernel32.dll"5⤵
- Executes dropped EXE
PID:576
-
-
C:\Windows\SysWOW64\findstr.exeFINDSTR -B "6.1.760" CurVer5⤵PID:2152
-
-
C:\32788R22FWJFW\hidec.3XEHIDEC SWSC START CryptSvc5⤵
- Executes dropped EXE
PID:1356
-
-
C:\32788R22FWJFW\pev.3XEPEV -rtd C:\Windows\Sysnative5⤵
- Executes dropped EXE
PID:2772
-
-
C:\32788R22FWJFW\grep.3XEGREP -isq "processorArchitecture=.amd64." "C:\Windows\SysNative\csrss.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\32788R22FWJFW\NirCmd.3XENIRCMD CMDWAIT 6000 EXEC HIDE PEV -k CSCRIPT.exe5⤵
- Executes dropped EXE
PID:560
-
-
C:\Windows\SysWOW64\cscript.exeCSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:05 "C:\32788R22FWJFW\ksvchost.vbs"5⤵PID:2940
-
-
C:\32788R22FWJFW\pev.3XEPEV -k NIRCMD.3XE5⤵
- Executes dropped EXE
PID:2084
-
-
C:\32788R22FWJFW\swreg.3XESWREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option5⤵
- Executes dropped EXE
PID:1720
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys /D Driver5⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
PID:2140
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys /D Driver5⤵
- Executes dropped EXE
PID:1780
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RESET /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RO:F /RA:F /Q5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:392
-
-
C:\32788R22FWJFW\swsc.3XESWSC QUERY BFE5⤵
- Executes dropped EXE
PID:856
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fsq "STATE : 4 RUNNING"5⤵
- Executes dropped EXE
PID:2480
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /V "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe" /T REG_DWORD /D 15⤵
- Executes dropped EXE
PID:292
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKCU\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages"5⤵
- Executes dropped EXE
PID:1984
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKCU\Control Panel\International" /v LocaleName5⤵
- Executes dropped EXE
PID:2400
-
-
C:\32788R22FWJFW\sed.3XESED.3XE -r "/.* /!d; s///; s/(\\0)*$//; s/\\0/\n/g" MUI005⤵
- Executes dropped EXE
PID:916
-
-
C:\32788R22FWJFW\sed.3XESED.3XE -r -n "G; s/\n/&&/; /^([ -~]*\n).*\n\1/d; s/\n//; h; P"5⤵
- Executes dropped EXE
PID:2392
-
-
C:\32788R22FWJFW\grep.3XEGREP.3XE -Fsqix en-US MUI5⤵
- Executes dropped EXE
PID:2692
-
-
C:\32788R22FWJFW\pev.3XEPEV -limit1 -rtf -sasize "C:\32788R22FWJFW\en-US\*.3XE.mui"5⤵
- Executes dropped EXE
PID:2156
-
-
C:\32788R22FWJFW\pev.3XEPEV UZIP License\pv_5_2_2.zip .\5⤵
- Executes dropped EXE
PID:1280
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKLM\Software\Swearware" /V LastDir5⤵
- Executes dropped EXE
PID:2556
-
-
C:\32788R22FWJFW\sed.3XESED -r "/.* (.:\\[^\\]*)$/!d; s//\1/"5⤵
- Executes dropped EXE
PID:868
-
-
C:\32788R22FWJFW\pev.3XEPEV -outputtemp00 -rtf -c:##5# .\* and { License.exe or 32788R22FWJFW.exe or WinNT.exe or N_.exe }5⤵
- Executes dropped EXE
PID:1576
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKCU\Console_combofixbackup"5⤵
- Executes dropped EXE
PID:1124
-
-
C:\32788R22FWJFW\swreg.3XESWREG COPY "HKCU\Console" "HKCU\Console_combofixbackup" /s5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "HKCU\Console" /v "QuickEdit" /T REG_DWORD /D 05⤵PID:2996
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "HKCU\Console" /V "InsertMode" /T REG_DWORD /D 15⤵PID:2700
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage" /V ACP5⤵PID:2980
-
-
C:\32788R22FWJFW\sed.3XESED "/.* /!d; s//@CHCP.com /" NlsCodePageACP005⤵PID:2628
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD HKCU\Console /V CodePage /T REG_DWORD /D "1252"5⤵PID:2648
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD HKU\S-1-5-18\Console /V CodePage /T REG_DWORD /D "1252"5⤵
- Modifies data under HKEY_USERS
PID:1260
-
-
C:\Windows\SysWOW64\chcp.comCHCP.com 12525⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY HKLM\System\CurrentControlSet\Control\NLS\Language /V Default5⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\32788R22FWJFW\sed.3XESED "/.* /!d; s///" NlsLanguage005⤵PID:2160
-
-
C:\32788R22FWJFW\grep.3XEGREP -isq "09$" NlsLanguageDefault5⤵
- System Location Discovery: System Language Discovery
PID:1104
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY hklm\system\currentcontrolset\enum\root\system5⤵PID:1444
-
-
C:\32788R22FWJFW\swsc.3XESWSC DELETE MBR5⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\32788R22FWJFW\rmbr.3XERMBR -u5⤵PID:2624
-
-
C:\32788R22FWJFW\handle.3XEHANDLE -p System5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2924 -
C:\32788R22FWJFW\handle64.exeHANDLE -p System6⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
PID:2944
-
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fic "C:\Windows\SysWow64\drivers\volsnap.sys" temp005⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
C:\32788R22FWJFW\grep.3XEGREP -E "^[5-9]$|.."5⤵PID:2928
-
-
C:\32788R22FWJFW\pev.3XEPEV -tx50000 -tf -files:files.pif -c:##5#b#f# -output:mdCheck00.dat5⤵PID:2952
-
-
C:\32788R22FWJFW\grep.3XEGREP -vs "^!" mdCheck00.dat5⤵
- System Location Discovery: System Language Discovery
PID:1520
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fvf md5sum.pif mdCheck0a.dat5⤵PID:1332
-
-
C:\32788R22FWJFW\grep.3XEGREP -sq . mdCheck01.dat5⤵
- System Location Discovery: System Language Discovery
PID:2512
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /RESET /Q5⤵PID:1928
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q5⤵PID:264
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve5⤵PID:2164
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "hklm\software\microsoft\windows\currentversion\app paths\combofix.exe" /ve /d "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"5⤵PID:2236
-
-
C:\32788R22FWJFW\swreg.3XESWREG QUERY "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit5⤵PID:568
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fi "C:\Windows\system32\userinit.exe" Userinit005⤵PID:644
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\Windows\system32\userinit.exe,"5⤵
- Modifies WinLogon for persistence
PID:1544
-
-
C:\32788R22FWJFW\sed.3XESED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) *//; s/(\x22[^\x22]*\x22)/\n\1\n/g" SET005⤵PID:712
-
-
C:\32788R22FWJFW\sed.3XESED -r "/./!d; /^\x22/!{s/\x22(\S+)\x22/\1/; s_\s+(/\S+)\s+_ \x22\1\x22 _g; s_\s+(/\S+)\s+_ \x22\1\x22 _g; s_\x22\s+(/\S*)$_\x22 \x22\1\x22_; s_^(/\S+)\s+_\x22\1\x22 _; }" temp005⤵PID:1156
-
-
C:\32788R22FWJFW\sed.3XESED -r ":a; $!N;s/\n *\x22/ \x22/;ta; s/./@SET SfxCmd=&/; s/^(@SET SfxCmd=)([^\x22]\S*)$/\1\x22\2\x22/" temp015⤵PID:1616
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\Windows\SysNative\ATTRIB.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\Windows\SysNative\CSCRIPT.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\Windows\SysNative\PING.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2104
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\Windows\SysNative\ROUTE.exe /P /GA:F /GS:F /GU:X /GP:X /I ENABLE /Q5⤵PID:2208
-
-
C:\32788R22FWJFW\grep.3XEGREP -Ei "\\(wscntfy|winlogon|wininit|nvsvc|lsm|lsass|iexplore|svchost|spoolsv|smss|slsvc|services|explorer|ctfmon|csrss|alg)\.....$" MSName005⤵PID:1788
-
-
C:\32788R22FWJFW\grep.3XEGREP -Ei "\\uninstall\.....$" MSName005⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\32788R22FWJFW\grep.3XEGREP -Ei "\\NoMbr\.....$" MSName005⤵PID:2940
-
-
C:\32788R22FWJFW\grep.3XEGREP -Ei "\\iexplore\.exe.$" MSName005⤵
- System Location Discovery: System Language Discovery
PID:560
-
-
C:\32788R22FWJFW\sed.3XESED -r "/.*\\CF@C([1-9][0-9])M([1-9])\.....$/I!d; s//\1\t\2/" MSName005⤵PID:2000
-
-
C:\32788R22FWJFW\grep.3XEGREP .5⤵PID:2084
-
-
C:\32788R22FWJFW\pev.3XEPEV -tf -tpmz -t!o C:\Windows\Installer\*000*.? -preg"C:\\Windows\\Installer\\\{[^\\]*\}\\U\\[^\\]*\..$"5⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\32788R22FWJFW\swxcacls.3XESWXCACLS C:\$RECYCLE.bin\* /GA:F /S /Q5⤵PID:2140
-
-
C:\32788R22FWJFW\pev.3XEPEV -tf -tpmz -t!o C:\$RECYCLE.bin\*000*.? -preg"\\U\\[^\\]*\..$"5⤵PID:764
-
-
C:\32788R22FWJFW\ATTRIB.3XEATTRIB +R "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"5⤵PID:1428
-
-
C:\32788R22FWJFW\grep.3XEGREP "=.*[a-z]" sfx.cmd5⤵PID:2588
-
-
C:\32788R22FWJFW\grep.3XEGREP -Eisq "=.\/NoMbr| .\/NoMbr. | .\/NoMbr.$" sfx.cmd5⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\32788R22FWJFW\grep.3XEGREP -Eisq "\\CFScript[^:\/\\]*$" sfx.cmd5⤵PID:2320
-
-
C:\32788R22FWJFW\NirCmd.3XENIRCMD CMDWAIT 9000 EXEC HIDE PEV -k CSCRIPT.3XE5⤵PID:1932
-
-
C:\32788R22FWJFW\CSCRIPT.3XECSCRIPT //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs5⤵PID:2520
-
-
C:\32788R22FWJFW\pev.3XEPEV -k NIRCMD.3XE5⤵PID:1644
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RESET /Q5⤵PID:1792
-
-
C:\32788R22FWJFW\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RO:F /RA:F /Q5⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fsf AVBlack resident.txt5⤵PID:1828
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fivf AVWhite resident.txt5⤵
- System Location Discovery: System Language Discovery
PID:324
-
-
C:\32788R22FWJFW\grep.3XEGREP -E "^(AV|SP): .*\*Enabled/"5⤵PID:888
-
-
C:\32788R22FWJFW\pev.3XEPEV -k * -preg"\\((ntvdm|teatimer[^\\]*|ad-watch[^\\]*|SZServer|StopZilla[^\\]*|userinit|procmon|txp1atform|SonndMan|ANDRE|TOLO|jalang|jalangkung|jantungan|DOSEN|C3W3K4MPUS)\.exe)$"5⤵PID:1280
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fx "REGEDIT4" Fin.dat5⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\32788R22FWJFW\grep.3XEGREP -ix "FileName=[-[:alnum:]@_.]*" FileName5⤵
- System Location Discovery: System Language Discovery
PID:824
-
-
C:\32788R22FWJFW\grep.3XEGREP -ivx ComboFix DirName005⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\32788R22FWJFW\grep.3XEGREP -Fisqx "._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82" DirName015⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\32788R22FWJFW\pev.3XEPEV UZIP "License\streamtools.zip" License5⤵PID:2968
-
-
C:\32788R22FWJFW\grep.3XEGREP -Eisq "=.\/uninstall| .\/uninstall. | .\/uninstall.$" sfx.cmd5⤵
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\32788R22FWJFW\pev.3XEPEV -rtf -s=0 "C:\Windows\erdnt\Hiv-backup\*"5⤵PID:2700
-
-
C:\32788R22FWJFW\pev.3XEPEV -k SWSC.3XE5⤵PID:2268
-
-
C:\32788R22FWJFW\swreg.3XESWREG ADD "HKLM\Software\Swearware" /V LastDir /D "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82"5⤵PID:3032
-
-
C:\32788R22FWJFW\hidec.3XEHIDEC "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE" /F:OFF /D /C C:\Start_.cmd5⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE"C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE" /F:OFF /D /C C:\Start_.cmd6⤵PID:1564
-
C:\Windows\system32\attrib.exeATTRIB -H -S "C:\32788R22FWJFW\*"7⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2872
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE"C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE" /k c.bat7⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
PID:2764 -
C:\Windows\system32\chcp.comCHCP.com 12528⤵PID:1104
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV RIMPORT EXE.reg8⤵
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Modifies data under HKEY_USERS
- Modifies registry class
- System policy modification
PID:1488
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY "hklm\system\select" /v "current"8⤵PID:2672
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\sed.3XESED -r "/.* /!d; s//00/; s/^[0-9]*(...) .*/@SET ControlSet=ControlSet\1\nSET CS000=HKEY_LOCAL_MACHINE\\system\\ControlSet\1\\Services/"8⤵PID:2636
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\ATTRIB.3XEATTRIB +S "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82"8⤵PID:1612
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -sqx "REGEDIT4" Fin.dat8⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\ATTRIB.3XEATTRIB +R *.3XE8⤵PID:2432
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NirCmdC.3XENIRCMDC EXEC SHOW "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE" /C " ECHO.&&ECHO.-------- ~%CurrDate.yyyy-MM-dd% - ~%CurrTime.HH:mm:ss% -------------&&ECHO."8⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE"C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE" /C " ECHO.&&ECHO.-------- 2024-11-19 - 15:30:07 -------------&&ECHO."9⤵PID:1716
-
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY "HKCU\Console_combofixbackup"8⤵PID:2040
-
-
C:\Windows\system32\chcp.comCHCP.com 12528⤵PID:1332
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -isq "09$" NlsLanguageDefault8⤵PID:2028
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -Eisq "=.\/uninstall.| .\/uninstall. | .\/uninstall.$" sfx.cmd8⤵
- System Location Discovery: System Language Discovery
PID:440
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swxcacls.3XESWXCACLS PV.3XE /P /GE:F /Q8⤵PID:1084
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PV.3XEPV -m CF30165.3XE8⤵
- System Location Discovery: System Language Discovery
PID:588
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\sed.3XESED -R "1,3d; /[4-9]\S{7}\s*\d* .:\\|\\detoured.dll$/Id; /.*(.:\\.*)/I!d; s//\1/" ForeignC008⤵PID:568
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -Fixvf ForeignWht ForeignC018⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY HKLM\Software\Swearware /V "CF_Update"8⤵PID:600
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG DELETE HKLM\Software\Swearware /V "CF_Update"8⤵PID:936
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\hidec.3XEHIDEC PING -n 1 -w 250 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2136 -
C:\Windows\SysWOW64\PING.exePING -n 1 -w 250 127.0.0.19⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3008
-
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PV.3XEPV -d2000 -xa PING.3XE8⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1244
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PV.3XEPV -m PING.3XE8⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:880
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\sed.3XESED -R "1,3d; /((10|4)00000|[4-9]\S{7})\s*\d* .:\\/d; /C:\\Windows\\SysWow64\\(xpsp2res|Normaliz|urlmon|odbcint|imon)\.dll/Id; /\)|\\/I!d; s/.*(.:\\)/\1/" pingtest008⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2772
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -Fixf ForeignWht pingtest018⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2744
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV -k PING.3XE8⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1272
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PING.3XEPING -n 2 -w 500 google.com8⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3000
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY "HKLM\SOFTWARE\swearware\Backup\Winsock2"8⤵PID:680
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ACL "HKLM\SOFTWARE\swearware" /RESET8⤵PID:1780
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG COPY "HKLM\SYSTEM\CurrentControlSet\Services\WinSock2" "HKLM\SOFTWARE\swearware\Backup\Winsock2" /s8⤵
- System Location Discovery: System Language Discovery
PID:2448
-
-
C:\Windows\system32\sort.exeSORT /M 65536 Mirrors00 /O Mirrors8⤵PID:1664
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\ComboFix-Download.3XEComboFix-Download -s --connect-timeout 5 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" -H "Host: download.bleepingcomputer.com" http://208.43.120.24/sUBs/version.txt8⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2444
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP "^[0-9][0-9].* [0-9]"8⤵PID:856
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\ComboFix-Download.3XEComboFix-Download -s --connect-timeout 5 -A "cfcurl/7.15.3 (i586-pc-mingw32msvc) libcurl/7.15.3 zlib/1.2.2" -H "Host: www.compendiate.net" http://69.6.236.82/sUBs/ComboFix.exe/version.txt8⤵PID:836
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP "^[0-9][0-9].* [0-9]"8⤵PID:620
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG QUERY HKLM\Software\Swearware /v 44617465204572726F728⤵PID:2296
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV -rtf -dg15 .\md5sum.pif8⤵PID:1648
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ADD "HKLM\Software\Swearware" /v 44617465204572726F72 /d "idk"8⤵PID:1740
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NircmdB.exeNircmdB.exe QBOXCOMTOP "Current date is ~%CurrDate.yyyy-MM-dd%. ComboFix has expired~n~nClick 'Yes' to run in REDUCED FUNCTIONALITY mode~n~nClick 'No' to exit" "Version_18-08-08.01" "" FILLDELETE ABORTB8⤵
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV -rtf -dl10 .\md5sum.pif8⤵PID:2464
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -sq "FIXLSP.bat" "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"8⤵PID:1768
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\pev.3XEPEV -k C:\Windows\* and { SWXCACLS.exe or SWSC.exe or PEV.exe or sed.exe or grep.exe or zip.exe or mbr.exe } or C:\Windows\system32\SWSC.exe8⤵PID:1360
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\grep.3XEGREP -Esq "FIXLSP.bat|C.o.m.b.o.F.i.x" "C:\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NirCmd.3XENIRCMD WIN HIDE TITLE .8⤵
- System Location Discovery: System Language Discovery
PID:1804
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NirCmd.3XENIRCMD WIN HIDE ITITLE ": ."8⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\PEV.exePEV.exe -k { *.3XE or NIRCMD.exe } and not C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\CF30165.3XE8⤵PID:824
-
-
C:\Windows\regedit.exeC:\Windows\regedit.exe /s "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\fin.dat"8⤵
- Impair Defenses: Safe Mode Boot
- Runs regedit.exe
PID:1684
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG copy "hkcu\control panel\international_combofixbackup" "hkcu\control panel\international" /s8⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
PID:2336
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG copy "hku\.default\control panel\international_combofixbackup" "hku\.default\control panel\international" /s8⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:236
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG COPY "hkcu\console_combofixbackup" "hkcu\console" /s8⤵
- System Location Discovery: System Language Discovery
PID:2592
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ACL "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /RESET /Q8⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG DELETE "hkcu\console_combofixbackup"8⤵PID:2716
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\NircmdB.exeNircmdB.exe SYSREFRESH INTL8⤵PID:2144
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RESET /Q8⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\swreg.3XESWREG ACL "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /RO:F /RA:F /Q8⤵PID:3044
-
-
C:\Windows\NIRCMD.exeNIRCMD.exe CMDWAIT 5000 EXECMD DEL /A/F C:\Windows\NIRCMD.exe8⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DEL /A/F C:\Windows\NIRCMD.exe9⤵
- System Location Discovery: System Language Discovery
PID:3032
-
-
-
C:\Windows\NIRCMD.exeNIRCMD.exe EXECMD "RD /S/Q "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\"8⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "RD /S/Q "C:\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82\"9⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
-
C:\Windows\NIRCMD.exeNIRCMD.exe WIN CLOSE CLASS #327708⤵PID:1036
-
-
-
-
-
C:\32788R22FWJFW\pev.3XEPEV WAIT 20005⤵PID:1260
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Safe Mode Boot
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD5fddb66186804dc1a836ee7b288aec224
SHA11570fd4102cb3d5940e8527e2efaa23c7367cd8e
SHA25664ae6e396d7c15f8101e74d99009e3301898105d4082392415a3afb824298c7c
SHA5127edc20e77458f0ffe5a6ff4cb4a214ef3f64218de6c07a3ee0d6b6f9a66fff57598f6b35c66b4cdd8b71b4053c781e90ece626187dd6f6adf1da56756a3dfd31
-
Filesize
24B
MD579c644256de6427ed74aa9225299685e
SHA199bd5a2cec702cc8f0d38828bee63739ee4718dc
SHA256d76c2daf80bc9550db8285aa715c787ee2238f2d96777fdf52f3dc96c07ef55c
SHA512a13f8178160689ad18a1bdb1704dd5ea9cd173e2d2e52ea081d0063d95425e54f83f7f0018fb57e6e9a65aedbee6547670d4a4e3035469b31252a5e1c3c77e3e
-
Filesize
66B
MD5955de0e7ae154a12e0eb81dc30ed0905
SHA1136138d125ccd2cf5529b40e207d673f78b159c3
SHA25687eebb19c6607ebbe65b6b307c06ce4c8464ee0aa7f0e1bc7335e374a4a6b9c6
SHA5124cd99739def158c2f30440e644961395cbf4b754d618d21df4d856682aee0fe2487d3ac35d7b699e57f6ca5debbdd5469535a358ab692bca53b936852cb341d1
-
Filesize
9KB
MD55b5d34c87292116639cfa3451fb6e0d9
SHA1a62b1a486f27fcabe7497f61772d68f75d4c5cc2
SHA256468469b56310fc8bb26e9ec0b3ae7c0b30f7c25470f9948d46323cfc901907e3
SHA512b9bdf0270aadf74fe667ab987f15ec72aa61f951a7dfca535c07f19f0e21e82097983b59a8e424364d7762b192e632390fd8d832cffa7eaad496aab7d3b7597a
-
Filesize
44KB
MD5f3a500fb9c16ddf7af12cf3eff0716e2
SHA135dead0077a4fc25612d90f95776af81c3d96dc3
SHA25612434c2df267a3e4d348c3e823d89c212de4d398447668bb3544f270f669864a
SHA512c0438a60f8a5dc6df0cc1ed19262b3fd9869a661bec7e7aaf7befa04c2192476765be4bdc84ed8668ad04f8fceb20361afb070c68a1f6eacfc8ba9d83219f5a2
-
Filesize
12KB
MD53274f791d4cc2cfe4dec805403ad10e3
SHA199dfdd6b292efd86b5810e6354182b2db0c78f41
SHA25678d9c7e42a14f2c5b377394ceedf7f9a77d16df43434eaecc0ac5cfc01cbc121
SHA512e6ed28767307160b43695276b4347a2c7064e838ca2038aad4dd6fe5d2bf3007489e514d73aa70a8a9012e2a851d183c72f753ff1c6e64e0cf30f915d3efcb0a
-
Filesize
19B
MD5d875037251b54bfeb674f591350d3b23
SHA1973b66e72611b62f6d106c7f729605f0a30eb408
SHA25614e50a7afb6646e7c82a3b3beae6d490be5adcaa7b9fda58779e2314da38d6d6
SHA512a660e1e8ec7b9fc56f034541a58c7a873c12b40f7aa62d987f9d7030365f13a57b4420589eb7a0a56f4d23112b7003e9647866329d62516aad95e823560c9b1e
-
Filesize
152KB
MD5791af7743252d0cd10a30d61e5bc1f8e
SHA170096a77e202cf9f30c064956f36d14bcbd8f7bb
SHA256e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15
SHA512d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb
-
Filesize
128KB
MD584fa403e67ccf1a031faeb39a091a7c0
SHA1e22bd0cc50f20d0b1e4f0283f8cf9d54a8ca99a8
SHA2566aaf47281e52b184d6e58cac0822dae59eb719f2af63360ecf645e1255e8644b
SHA512d47ded5cb06b6bae3a83432f2353059a97b2c0c4b161c150bdb510c7744b55b0686738d4d37861aa4d0acce697ee5cabf521ce7f926399b046b42cc4e8494827
-
Filesize
159KB
MD589afdd29832aa923926bdd4b5f5243d5
SHA14ee93ef072559c5184236718fe07485bc5ddbe2d
SHA256a559f249fc0e56bc925609773f6cc9cd1826bf70916be1d6370ce4707a6dfd84
SHA512289e9be8566e7b1713c4ed0fa9be509b7d7dd6fe5bab6a7cee7a338f2aeab040419f1fbd032ba97b984691144b54ee8089a6e964ea8633bfa56539010e29a812
-
Filesize
2KB
MD5f9650a5c954d2a9f8844de99e8577f93
SHA1791a85bf67f5dc3734453808bd3013a866b970ba
SHA2563c3ba112731c697b8700de546195c4a02f96f4fe28d39a75551f932985e0c15e
SHA5120b68eb79b37504586da9c7776594c6ebb0251539b7172a2d631d9cacf54d00445693bcacc7f6f15c9902f79fd3bc22a2274575df9d4db129ee0d856b41ed8ba2
-
Filesize
3KB
MD5388d865d44ee8069df8bd12efedadb3e
SHA1e59a20c9c5de1164a16b23014fc3b6a6cf385d14
SHA2569bdfefd45997b94cfe323d4ce4209941a08061ea364bb969a9d3afb418b6fe61
SHA512e3db6a26c55ce3f141565afc5831a2ee7a63741838b084dcf8cadf500b2b2fbeaccf0e417c996c7a10a4de78ae4d2f423d3043c37025049b8cf154cded4623cd
-
Filesize
3KB
MD502187b1b6f37b3d0030791c802a6174c
SHA1b0f8330dcca6d6f4426dcce8fe8705d12f06df1d
SHA256fb96fb9575fad8df03df5e48b7ec0bd9a151ebabc9dd949867b087ea925f33da
SHA512b8da90647afa78c7649a198556529567f65d59206e686d64c98e13496295a75580e89dbc18c92eb9ef36ab2bcc414d35af9b2cfb35417f7f4afd622fc7f248d2
-
Filesize
17KB
MD56029d80d8e934047f4680d425878f8df
SHA162cbc0902c2159f453776c634e8137bd9da756b5
SHA256dac913a8c06902546d4ebb264b293dcf0fbeb566657b5fb769c9f22448d77847
SHA51238450b14163805f2385fa9ed2a7aff49c81fdfa8c5a41b16862d7d498e1f8bbeeecc977dd2b94c8e4f621ad6d5619b49d7b9c0dd24fd8662b928df5128d0f822
-
Filesize
8KB
MD543c7228b35d17db840f2254b92e00d8b
SHA1888325a0429e5b7b8229daa058c7cdacf7db2c0d
SHA2568ca7e8f9dc2906b78842c61a52b0a95fd744fa2e76de470588f821cb88e21e45
SHA512f9fbc9a9cf73a226f08ff112c8959419bb1893300e5e81110b63d4926628aa4bbe88d1f6a2b1e6a3ee04e9b903d66c8664c98c9e46aa2ddb8117bfdc8eefdeeb
-
Filesize
144B
MD5306c4a0f4ecea81cd27076b35b2b0ceb
SHA19f1f11b86d04f43ad0cc41b46795071efd579d40
SHA256778eaf3129c871b4ff32eba227166711a47fca8b458f34f9198adbb70ee3404e
SHA512223c53f24de764ad98de9b651a0eaeb01ebde1ebcc16c2c59bd803d751c5fa2acd1395e3cd259f9f215d8ce9a26159391e6dba356fde9360d7cf67aaa3262873
-
Filesize
388B
MD5128128e7a82b1cf02e92d2166a37e000
SHA18bddc1272c15f9f9560ed8cd13d91b9e2b040201
SHA25618daa45bf4a05e023dcbb3e5c7c410be4750f7ff81d181ff59a080cd3af6e92f
SHA51274df10f7593dbe0e86b21936c8ee47ee278672865d73ff33c529e4dc4e846a8b2a02ff51504ca5d4bdc65525542ee20406e98dcedb3ffa47f708531fd4ce2274
-
Filesize
1KB
MD5ee0eede328eab3072e18d2836f0b5733
SHA1f7f0d25e92e3d334ae709ec86fe3e038ec397647
SHA256b8af13a08015ab1b267d6b6b6b0b317355c6288457b5d9ef7f9995937a666b17
SHA5125a0317bb3c9d0d82c25aacbfe591e96d0d666879ce13ec6b55c016afa2573caf343da5108a62bcf1c2890f7f4f06966bac4ecbebb6eb03dd34ab39dc11bb3190
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
1KB
MD575b33a3d7d7eaba0dc6d13f8ba6f825e
SHA167644b09419b002ae121680689bbb2fe81aea2b8
SHA2564d3d7317f2f032264dafa4f2a7a83cb7c6543fa2e2ed2c6d95e1a3ff6c1dd666
SHA51216dc56acafc7bb6456a743979de309c5c0651edce0efc17fcdc814bc928a7f17760ce2fa664b4b49e1d9a30efb218eefa985d7ece2e68b843ef17dc1b1b59c7e
-
Filesize
6B
MD5486da0e231191ae975f6d2b4d14f9d39
SHA193884c615df1514c050d52104a7dfd045f8b6760
SHA25603db0edf70b6e6a3601107fa8f4fa1b1044fc83f65927c0b3b3374c041826b61
SHA5126fea149031c39c9a2a17e05e6f6f21d20e8cf0e384e975448566295b81d95b7d5cc448cd9e56e809c85d3f709237f616e329e469c482559f4c606cd4b961651a
-
Filesize
10KB
MD57d1dc643c3f97f6e396331035b704ab6
SHA19adfe7d1c195ab984a9cefdeec49bd39c68d084c
SHA256ddc809fba49b8ec969850027d265f6c5aa6d195385f8ed3fe38a66fe0bbbaad4
SHA51256a85cbfaf4ef41854633853a0e7af4ed7a754c9ed36b94be92d41c690b9d8d73704a92e3becc083130d92aea0591c5eb67242c1348c19e14fd693b8584260d2
-
Filesize
15KB
MD5d6a005f8facff88e260688ddb7ae00c1
SHA14e22c7a9fc89587addc4d5ddab71199e08ea5b50
SHA2560ff5348012225418d31ded6d2eb43f081ad8f7035b24e20d3e158ba320a42d49
SHA5127e3ba326c7c6a03cebece8e28cfdc75f89a9a541b07623b77a5825982c2c612477a0adc64eb29afea2faf49a211361fff9009b3979805514fd99163e218b18e7
-
Filesize
59KB
MD5753bc16326fee4a421acb636ccd602f4
SHA19cca347a4659301f89105a5433539e9cad150c69
SHA25624ca5ceb560f68b37c7cd4e548303a3617bb230c3b7478fe61ae804b8f128e4a
SHA512b7924b660dc5e786bcd5cc5df160c29aaf48c88365940a9fbb60c77aa559e60bd5a7033e5edce4577fbad02f52582d65afbdbd22223cbe13df13cfbd9e4241ee
-
Filesize
2KB
MD55b4f9947085428bdafd5f5f13fc61e5b
SHA10a097d99dd988407be0b0b0776ec5c029a47a27c
SHA256a6b85f67b1ff30eaf6893e757ffbba785de0e859afc4362eee9318b63c240cdf
SHA512c61badeafddb9fe8411dc7130c905b615333de8ed576874300dafac9144771d099fe59e33e642987e1621d18f8a0dccd69e763451d33a609d0a8f325b5908c77
-
Filesize
14B
MD5954a44456e60a31dba59ec10e0868f5c
SHA17a3101cf946e0d72c3c247547dcc4694d9717260
SHA256a67745e34ed24fc8f769632758dc152c058a81ab7d171ac9c0d8f4a47dd569b9
SHA51282799111dec1bee2bd526f743eda584d23691728dd474800e682938ddaa1765d3a016ca44864bb21ce1739ef17ceea7106e1a19607a10943e34301ac8ba9ce32
-
Filesize
506KB
MD5a46842c9b0c567a5a9584e83a163560c
SHA17c01e92196c1fa584f05b40e0ad7952525b00686
SHA256715c24bf2bfdfb50c5b9bff41b7cc2728d6986af97edeeb1f1df0c35d673ad98
SHA512b439d97731b364922a2816739389443cee9137dad99556498d68fe2b617f7070a2c9ab00ec59f388fc6b72faba489605688ea3a180899690b42c50b17952e956
-
Filesize
397KB
MD50297c72529807322b152f517fdb0a9fc
SHA12e818e096dded6e01413ff10b5ba0ddb43920b77
SHA256c4d17d7b6c42bca40a313212422add7581192283eb489af9af1b8b6d9cee67e0
SHA512634b4a41bc71a5be39b6962198f19baa63c89887897c2ea47aaf150f27c375ec69d24e61e891442ca9b675ca4bdfd7f5ee0056d99ceb4b8ca6beaaa3f8f2acee
-
Filesize
207KB
MD5b1a9cf0b6f80611d31987c247ec630b4
SHA17299b3c370254e1e4bade26dc5fec818989d836a
SHA256933756962d8a3530c50072e03af9e0eb0bede3c7af58feda3518240e851071ef
SHA512152e24b5490c3e15ec7cf6db0e6573cd75846be6b1472165d055255a9b74a22d929bf8bef1c3f8e31333577d806d600239dde2dfbb463cc62987bac62706b9e1
-
Filesize
6.1MB
MD502bec9d86e4839199a60b334dd650e60
SHA18f86b49725abfae4c201654f3aa43ec0041cea39
SHA2566346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82
SHA512660d932f4b2fe56d175ba3c2823a0501d13e29876766a57bd4df5b345177887b48fb9eedcf0c3929cca509f49a2bb189395e82c2418fa6e8834e0a2f79425243
-
Filesize
17KB
MD5af4d37aad8b34471da588360a43e768a
SHA183ed64667d4e68ea531b8bcf58aab3ed4a5ca998
SHA256e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1
SHA51274f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
Filesize
385KB
MD55a43a009414d356a018de0f9d3637f3a
SHA11ab32ff6729c7aea5f3fe37c6f3ee8a1f3ef55f9
SHA256a29dff95b99fb1fb997ebb9baeac450e69348e2fa9b0ebf3b3585fd2f44cd2f8
SHA51297545c4d482a60cb278a24bb80a6f2a5f15716d507203c83beef66dab31554ec9264497609c12461fa77bc1a765062d513a417048027f064b5da9d95a9231a1b
-
Filesize
250KB
MD5f042ee4c8d66248d9b86dcf52abae416
SHA14cd785c7c3e40c42e3d126086d986c4d4d940bb2
SHA256ae0f5cc54e4b133df66a54572a7ce52faff11f8fd0caeab088aad3699d6ec924
SHA512a8a5f1191dfa212e029c79f1e44866513c29b54a3ec25fd4badc65c80e65dafe7194a4ab597bd14d33bfd077dd8d58c07f29aeb2eed1ba8a065d3a4ad165340d
-
\Users\Admin\AppData\Local\Temp\._cache_6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe
Filesize5.4MB
MD59c181b1351af9d8574df0aaeb0e278de
SHA116010baa64a7d21fe9c435abac13798ccfedd0cd
SHA2563e4de6797fb83963bf660c2da8fd0fd523130e6b48b7834ba48d3f635d4e1ece
SHA512a1b09027b8e5f1ddd2bc4952ed73b708791e10e7a80fe8d726d238cfbca3a539559776fdce26f0e454ebfa2826a0ef3897a27283341ce2ed2ca28a1d24d827f7
-
Filesize
4KB
MD5b9380b0bea8854fd9f93cc1fda0dfeac
SHA1edb8d58074e098f7b5f0d158abedc7fc53638618
SHA2561f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
SHA51245c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
4KB
MD5031ec9b12afb1fafc9fc397f3b90f29c
SHA1de26ddfe3ef452f8205bfbd5520a8eff6328619f
SHA2562dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1
SHA512cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6
-
Filesize
6KB
MD514f5984b926208de2aafb55dd9971d4a
SHA1e5afe0b80568135d3e259c73f93947d758a7b980
SHA256030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1
SHA512e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27
-
Filesize
14KB
MD586b723938b48dc670de8f1016c2fe603
SHA1ff432e1f5d2b8423872719520e9df4da401755c3
SHA256a238cb788e8077442358626fee022d0eb72fc228a5b11c101ab568662db27798
SHA5120a291d76fd950b6f4c725ba377aef42dd2ecfa2a2e7837cf6c98dfba8f4e6f30985a0d0028900d0528501b38f92ccca6353ab20acda2d3349db30021e78a2a5d