sality | c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93c

Analysis

max time kernel
23s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Size

147KB
MD5

b2116dfdd65b7962962d6ba229f8c680
SHA1

cc6de214282ee9b35a1b46c957f9ab723fd0a546
SHA256

c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93c
SHA512

f3f6afd30d163574b7e80c600fd18b2a989ce91048317bfa1a9ba233ed2061baa2aea58af87bf049bf23096308a1c76ac643b20f1f40167032b566e823a4a9b8
SSDEEP

3072:pA/yzn2spnbZdIImXXbxxwBAf0p8xb7AwcGH/K2NxAjhQ:pJnMIWFxgAf0GxXAwNyAAQ

Score

10^/10

sality backdoor discovery evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	USBInfo.com

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	regedit.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	USBInfo.com

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	USBInfo.com

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\USBInfo.sy_	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBSys.vbe	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBInfo.com	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\USBInfo.com	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBStor.vbe	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\Driver.sys	cmd.exe
File created	C:\Windows\SysWOW64\Drivers\USBInfo.vbe	cmd.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1120	attrib.exe
8	attrib.exe
2096	attrib.exe
4660	attrib.exe
1424	attrib.exe
2612	attrib.exe
3268	attrib.exe
4424	attrib.exe
4180	attrib.exe
1832	attrib.exe
4236	attrib.exe
4068	attrib.exe
212	attrib.exe
1500	attrib.exe
4824	attrib.exe
4236	attrib.exe
2308	attrib.exe
4048	attrib.exe
2564	attrib.exe
232	attrib.exe
2404	attrib.exe
656	attrib.exe
5100	attrib.exe
1940	attrib.exe
4116	attrib.exe
384	attrib.exe
4036	attrib.exe
4160	attrib.exe
528	attrib.exe
4584	attrib.exe
448	attrib.exe
4500	attrib.exe
3460	attrib.exe
4380	attrib.exe
3960	attrib.exe
2728	attrib.exe
1952	attrib.exe
4380	attrib.exe
5116	attrib.exe
4808	attrib.exe
1156	attrib.exe
4660	attrib.exe
1396	attrib.exe
644	attrib.exe
1920	attrib.exe
3440	attrib.exe
2096	attrib.exe
4696	attrib.exe
1764	attrib.exe
3204	attrib.exe
1044	attrib.exe
1992	attrib.exe
2160	attrib.exe
5116	attrib.exe
2876	attrib.exe
2480	attrib.exe
4660	attrib.exe
5096	attrib.exe
3812	attrib.exe
404	attrib.exe
4180	attrib.exe
4892	attrib.exe
2572	attrib.exe
592	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
2292	USBInfo.com

Executes dropped EXE 1 IoCs

pid	Process
2292	USBInfo.com

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	USBInfo.com
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	USBInfo.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	USBInfo.com
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\@ = "c:\\windows\\system32\\Drivers\\USBInfo.com"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\@ = "c:\\windows\\system32\\Drivers\\USBInfo.com"	regedit.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	USBInfo.com

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\\desktop.ini	cmd.exe
File created	F:\\desktop.ini	cmd.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
File opened (read-only)	\??\G:	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
File opened (read-only)	\??\E:	USBInfo.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	attrib.exe
File created	F:\\autorun.inf	cmd.exe
File opened for modification	F:\autorun.inf	attrib.exe
File created	C:\\autorun.inf	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ScreenSave.scr	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ScreenSave.scr	cmd.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/744-13-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-8-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-14-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-16-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-18-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-7-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-6-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-5-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-1-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-29-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-30-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-31-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-33-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-32-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-35-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-37-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/744-50-0x0000000002390000-0x000000000341E000-memory.dmp	upx
behavioral2/memory/2292-129-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-142-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-141-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-140-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-139-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-132-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-131-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-130-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-127-0x0000000002330000-0x00000000033BE000-memory.dmp	upx
behavioral2/memory/2292-146-0x0000000002330000-0x00000000033BE000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBInfo.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
4708	taskkill.exe
2660	taskkill.exe
1580	taskkill.exe
2844	taskkill.exe
704	taskkill.exe
4584	taskkill.exe
4452	taskkill.exe
4524	taskkill.exe
1196	taskkill.exe
2724	taskkill.exe
3152	taskkill.exe
3812	taskkill.exe
3156	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cmd.exe

Runs regedit.exe 13 IoCs

pid	Process
3032	regedit.exe
3376	regedit.exe
4888	regedit.exe
2000	regedit.exe
3544	regedit.exe
2444	regedit.exe
1052	regedit.exe
4448	regedit.exe
1684	regedit.exe
4916	regedit.exe
4320	regedit.exe
2960	regedit.exe
2984	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
2292	USBInfo.com
2292	USBInfo.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Token: SeDebugPrivilege	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 3496	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	85
PID 744 wrote to memory of 3496	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	85
PID 744 wrote to memory of 3496	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	85
PID 744 wrote to memory of 792	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	8
PID 744 wrote to memory of 800	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	9
PID 744 wrote to memory of 412	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	13
PID 744 wrote to memory of 2824	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	49
PID 744 wrote to memory of 2880	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	50
PID 744 wrote to memory of 2976	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	51
PID 744 wrote to memory of 3432	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	56
PID 744 wrote to memory of 3548	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	57
PID 744 wrote to memory of 3744	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	58
PID 744 wrote to memory of 3840	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	59
PID 744 wrote to memory of 3908	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	60
PID 744 wrote to memory of 3988	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	61
PID 744 wrote to memory of 4168	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	62
PID 744 wrote to memory of 2256	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	64
PID 744 wrote to memory of 452	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	75
PID 744 wrote to memory of 4368	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	83
PID 744 wrote to memory of 3496	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	85
PID 744 wrote to memory of 3496	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	85
PID 744 wrote to memory of 3588	744	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe	86
PID 3496 wrote to memory of 380	3496	cmd.exe	87
PID 3496 wrote to memory of 380	3496	cmd.exe	87
PID 3496 wrote to memory of 380	3496	cmd.exe	87
PID 3496 wrote to memory of 2012	3496	cmd.exe	129
PID 3496 wrote to memory of 2012	3496	cmd.exe	129
PID 3496 wrote to memory of 2012	3496	cmd.exe	129
PID 3496 wrote to memory of 872	3496	cmd.exe	89
PID 3496 wrote to memory of 872	3496	cmd.exe	89
PID 3496 wrote to memory of 872	3496	cmd.exe	89
PID 872 wrote to memory of 2292	872	WScript.exe	90
PID 872 wrote to memory of 2292	872	WScript.exe	90
PID 872 wrote to memory of 2292	872	WScript.exe	90
PID 2292 wrote to memory of 4484	2292	USBInfo.com	91
PID 2292 wrote to memory of 4484	2292	USBInfo.com	91
PID 2292 wrote to memory of 4484	2292	USBInfo.com	91
PID 4484 wrote to memory of 1580	4484	cmd.exe	93
PID 4484 wrote to memory of 1580	4484	cmd.exe	93
PID 4484 wrote to memory of 1580	4484	cmd.exe	93
PID 4484 wrote to memory of 2984	4484	cmd.exe	96
PID 4484 wrote to memory of 2984	4484	cmd.exe	96
PID 4484 wrote to memory of 2984	4484	cmd.exe	96
PID 4484 wrote to memory of 1392	4484	cmd.exe	97
PID 4484 wrote to memory of 1392	4484	cmd.exe	97
PID 4484 wrote to memory of 1392	4484	cmd.exe	97
PID 4484 wrote to memory of 3972	4484	cmd.exe	98
PID 4484 wrote to memory of 3972	4484	cmd.exe	98
PID 4484 wrote to memory of 3972	4484	cmd.exe	98
PID 4484 wrote to memory of 4660	4484	cmd.exe	209
PID 4484 wrote to memory of 4660	4484	cmd.exe	209
PID 4484 wrote to memory of 4660	4484	cmd.exe	209
PID 4484 wrote to memory of 404	4484	cmd.exe	100
PID 4484 wrote to memory of 404	4484	cmd.exe	100
PID 4484 wrote to memory of 404	4484	cmd.exe	100
PID 4484 wrote to memory of 1460	4484	cmd.exe	101
PID 4484 wrote to memory of 1460	4484	cmd.exe	101
PID 4484 wrote to memory of 1460	4484	cmd.exe	101
PID 4484 wrote to memory of 1500	4484	cmd.exe	102
PID 4484 wrote to memory of 1500	4484	cmd.exe	102
PID 4484 wrote to memory of 1500	4484	cmd.exe	102
PID 4484 wrote to memory of 2844	4484	cmd.exe	149
PID 4484 wrote to memory of 2844	4484	cmd.exe	149
PID 4484 wrote to memory of 2844	4484	cmd.exe	149

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	USBInfo.com

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2668	attrib.exe
5100	attrib.exe
5088	attrib.exe
4808	attrib.exe
4236	attrib.exe
3440	attrib.exe
1992	attrib.exe
4500	attrib.exe
4508	attrib.exe
2404	attrib.exe
1424	attrib.exe
2308	attrib.exe
3528	attrib.exe
4668	attrib.exe
2612	attrib.exe
1120	attrib.exe
3460	attrib.exe
4516	attrib.exe
3656	attrib.exe
2776	attrib.exe
5000	attrib.exe
5116	attrib.exe
2096	attrib.exe
5096	attrib.exe
4180	attrib.exe
2480	attrib.exe
956	attrib.exe
3012	attrib.exe
2888	attrib.exe
592	attrib.exe
912	attrib.exe
5116	attrib.exe
1940	attrib.exe
2844	attrib.exe
3632	attrib.exe
232	attrib.exe
1500	attrib.exe
4180	attrib.exe
1156	attrib.exe
3024	attrib.exe
1196	attrib.exe
2668	attrib.exe
3376	attrib.exe
1952	attrib.exe
404	attrib.exe
8	attrib.exe
3224	attrib.exe
4048	attrib.exe
3064	attrib.exe
3580	attrib.exe
528	attrib.exe
4892	attrib.exe
4584	attrib.exe
1952	attrib.exe
2528	attrib.exe
3536	attrib.exe
4812	attrib.exe
2160	attrib.exe
2180	attrib.exe
4892	attrib.exe
404	attrib.exe
3864	attrib.exe
4300	attrib.exe
4660	attrib.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:412

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2880

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe
  "C:\Users\Admin\AppData\Local\Temp\c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:744
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~C331.bat "C:\Users\Admin\AppData\Local\Temp\c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93cN.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:380
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBInfo.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\SysWOW64\Drivers\USBInfo.com
        
        "C:\Windows\system32\Drivers\USBInfo.com"
        5⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Deletes itself
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~E000.bat "C:\Windows\system32\Drivers\USBInfo.com"
        6⤵
        Drops file in Drivers directory
        Checks computer location settings
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1580
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Runs regedit.exe
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h autorun.inf
        7⤵
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "$Recycle.Bin"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Documents and Settings"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "PerfLogs"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Program Files"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Program Files (x86)"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "ProgramData"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Recovery"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "System Volume Information"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Users"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "Windows"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h autorun.inf
        7⤵
        Sets file to hidden
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "$RECYCLE.BIN"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "System Volume Information"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4892
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2724
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Runs regedit.exe
        
        PID:4448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:8
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:4660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4584
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:2844
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:2564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:4380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:3064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:592
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:3152
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:4236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:4696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5088
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:704
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:4916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:4380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:4824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3460
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:3812
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:4320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:912
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4584
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:4036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4708
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:3376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3580
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:3156
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:4888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:4116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:2180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:3204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:1920
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4452
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:4160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Views/modifies file attributes
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        
        PID:2096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:3268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:4524
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:3544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:4424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3864
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:1196
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        
        PID:644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBSys.vbe"
        7⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h ╬─╝■╝╨.exe
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "recycler.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +r +s +h "system volume information.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2404
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im usbmon.exe /im U┼╠▓í╢╛├Γ╥▀╞≈.exe /im USBCleaner.exe /im mmc.exe /im regedit.exe
        7⤵
        Kills process with taskkill
        
        PID:2660
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Windows\system32\Drivers\USBInfo.sy_
        7⤵
        Runs regedit.exe
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\Drivers\USBStor.vbe"
        7⤵
        
        PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2256

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:452

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2012

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~C331.bat

Filesize
4KB

MD5
bc278224d87330dbedf84ddefdced3f1

SHA1
0a21b60897db6bd7559fef583bb095266110b653

SHA256
1d75230f2ab4daeb62d42bb1bea8a5c4c9f6831f3830407f9615677dc29dac7a

SHA512
6ff654c73c68420d97657657f77d3934aaa60fddceca095d0f9d3f169e6fab7435d3a758f0d3eae086b2ee32ea7e5c0fa3ba602bc9416e0e1e2ca8743f0d846a

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
b73248118d867d183ad3e125c1fe55b6

SHA1
896107891207ea89abb8eb7d9e258bdb4e45ca3b

SHA256
093af0dacbbd816381fae5ffee3eb1c61f6e045e58c27b4ed74ece503b5d6c97

SHA512
e1543a53b77fc4d643cb6bcd2d2559c59148109e4678c783a2a0810efd4180043010600cec41f82dbe13896f036232ea03fe0aed607e874dd0bfd57b6ddb9135

Download Submit
C:\Windows\SysWOW64\Drivers\USBInfo.com

Filesize
147KB

MD5
b2116dfdd65b7962962d6ba229f8c680

SHA1
cc6de214282ee9b35a1b46c957f9ab723fd0a546

SHA256
c6a11af45abc6b62a80c7bb96ca1f2385ebe232350821855b50b33f24483b93c

SHA512
f3f6afd30d163574b7e80c600fd18b2a989ce91048317bfa1a9ba233ed2061baa2aea58af87bf049bf23096308a1c76ac643b20f1f40167032b566e823a4a9b8

Download Submit
C:\Windows\SysWOW64\Drivers\USBInfo.vbe

Filesize
77B

MD5
54ceb8eabaff522c097e4949d39fbd09

SHA1
304fd3c274aac25477ba1f3f500ae34e6c94612d

SHA256
d2d64a938a71d1b747112176eeb345991433fc81475a397b85b6b4c3d97f8550

SHA512
3c6ce4fe30121305b176a3ccc7358343bfdd28537358e7289e4354b52f152c018acfe843659df5bd35228fca804b0285baa8350e2b6ca39719bdefdb77b2e0be

Download Submit
C:\Windows\SysWOW64\Drivers\USBStor.vbe

Filesize
20B

MD5
905d7a48a13a75ced1342bbdf0a3ace2

SHA1
3bcc021a82ed38810bcf61286eb1f4e578e3721f

SHA256
10338a72fbacb4fdf731d8937cdf23519896c5122b6a80079527cebf8406b3cd

SHA512
fe77b8b928ba1ffb1a8bf941b2a0279b3ca6512d30dd1a2e2f363f9b2be245e361fab40232bc868f0f7e79bacc476653a49b66d2cf6945ed87b0c776783db8c1

Download Submit
C:\Windows\SysWOW64\Drivers\USBSys.vbe

Filesize
19B

MD5
322866ac1312f3bc0dd8685949f35b6a

SHA1
dc3f64764aa99595ee48721142d2301ebbe07aec

SHA256
5417fd3704beb2760ed54c38048ae44d2cd49312be2a8f104e542bbd5bbc88d6

SHA512
1b5c2320beaeb34895a1d11882566463d365a128db4d260189850990e1215ce737334ee96b43ecd2c018f040548209cc6f11328a5a9b9eb5f57fc6ac61afe03d

Download Submit
C:\Windows\SysWOW64\drivers\USBInfo.sy_

Filesize
1KB

MD5
e3f32bf45469d18567e23485109ffdd4

SHA1
2e207b073a4237e05b5da89f9ca2e9771757620c

SHA256
e41ad345599c751ed8b124229df31681f2c44d322d092f85c2205b97f09c8a81

SHA512
e8ab034c883c747d6a093d1221e080adf84a1c3662e4469c59cf49f693561262d435c28eede60e18151222fd9562abc6c81b6a57fa5587032cbc2d0b74a0c0e5

Download Submit
C:\desktop.ini

Filesize
150B

MD5
ec4064ac609dc25d680be76463282759

SHA1
e811243e6946ab739afe39f79e7e010c5d3aa646

SHA256
5f7b66850209b68edce639f55db86876840969a4302143811f5953b643f45dae

SHA512
e65ad34b719c46d97729167cd0c8ed0ba8a9ee567b67a4663ddc48873735914c28315428b8415ced78a7608165910dcb4583222b08e3e1a7cabf7b3e9339401f

Download Submit
F:\autorun.inf

Filesize
149B

MD5
babb9292822f6963475088494e446a00

SHA1
d0f96ea279562a899f24b5a6905065de029877b0

SHA256
bff5694d6d4c8a41217fa9d98d95c355a6f63ef939a4ef89bc45d1cf443a1f9d

SHA512
b96daa0a52867f7f0454c8b35d85682aa22c3ac59495760c95204cc1cfc419bd88b5cc59d92dfab5a6343f8f86659e35e2f38cda0c1ea014d2377ab5e525fd5b

Download Submit
F:\desktop.ini

Filesize
41B

MD5
fc58af21d2445196d228547ba36ce949

SHA1
f5eade25a4c478faa988d62ad7f93679a148e511

SHA256
93bd2fd7de32217b93b299ccf87fe53d47f5c1f1b44dbcfa3921f10d405d026e

SHA512
eabe18f6d152fd1f4450d618ed0084990f90071cc18d42812a68339d3fd55c8b4a4ce03fb575730a2188a8ce3bfb15c275ad6a00820902a3737723220fdd4427

Download Submit
memory/744-7-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-17-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/744-10-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/744-15-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/744-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/744-6-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-5-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-1-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-9-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/744-29-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-30-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-31-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-33-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-32-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-35-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/744-37-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-16-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-14-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-13-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-50-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/744-18-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/744-45-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/744-8-0x0000000002390000-0x000000000341E000-memory.dmp

Filesize
16.6MB

Download
memory/2292-143-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/2292-46-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-378-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-125-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-129-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-142-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-126-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-146-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-140-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-139-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-127-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-141-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-131-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-130-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-132-0x0000000002330000-0x00000000033BE000-memory.dmp

Filesize
16.6MB

Download
memory/2292-134-0x0000000003E80000-0x0000000003E81000-memory.dmp

Filesize
4KB

Download
memory/3496-47-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/3496-21-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/3496-19-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/3496-12-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3832-138-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3832-144-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/4484-136-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/4484-145-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

Filesize
8KB

Download