Analysis Overview
SHA256
485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776
Threat Level: Known bad
The file 485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Modifies security service
Modifies visiblity of hidden/system files in Explorer
Windows security bypass
UAC bypass
Modifies visibility of file extensions in Explorer
Drops file in Drivers directory
Disables taskbar notifications via registry modification
Event Triggered Execution: Image File Execution Options Injection
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Windows security modification
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Drops startup file
Adds Run key to start application
Indicator Removal: Clear Persistence
Checks whether UAC is enabled
UPX packed file
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies Internet Explorer start page
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Control Panel
System policy modification
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-19 12:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 12:04
Reported
2025-01-19 12:06
Platform
win7-20240903-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe:*:Enabled:@xpsp2res.dll,-70554750" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe:*:Enabled:@xpsp2res.dll,-57951861" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe:*:Enabled:@xpsp2res.dll,-53342401" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe:*:Enabled:@xpsp2res.dll,-28956246" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Disables Task Manager via registry modification
Disables taskbar notifications via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjsetup.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfwadmin.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpcmap.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navex15.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UCCLSID.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ogrc.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iris.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgssfw32.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SrchSTS.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rapapp.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracert.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepsrv.sys.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSHTA.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IELOWUTIL.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEUNATT.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTEM.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SELFCERT.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOSYNC.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWTRIG20.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DW20.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTEXPORT.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2116 set thread context of 788 | N/A | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe |
| PID 2352 set thread context of 1912 | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Sound\Beep = "no" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Sound | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://k3rpn6nsm7v08o4.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://91191v7i5nney3c.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://4gpc25t8i557w30.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://z08r490sa8b1pm7.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://316d36it7o97o1w.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://as532zl2oxlma0l.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Download | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://6209860r64907e0.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://5opbq517ww14301.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://199kqmqltvtzk21.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://8gsq0s81r700r48.directorio-w.com" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| N/A | N/A | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" | C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"
C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"
C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
"C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe" 5A3FB291
C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
"C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud.ns1.dnsdynnet.com | udp |
| US | 8.8.8.8:53 | whos.amung.us | udp |
| US | 104.22.74.171:80 | whos.amung.us | tcp |
| US | 8.8.8.8:53 | widgets.amung.us | udp |
| US | 104.22.74.171:80 | widgets.amung.us | tcp |
| US | 8.8.8.8:53 | www.buscaid.com | udp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | cloud.ns1.dnsdynnet.com | udp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | www.buscaid.com | tcp |
| US | 45.79.19.196:80 | tcp | |
| US | 45.79.19.196:80 | tcp |
Files
memory/788-2-0x0000000000400000-0x0000000000446000-memory.dmp
memory/788-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/788-13-0x0000000000400000-0x0000000000446000-memory.dmp
memory/788-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/788-8-0x0000000000400000-0x0000000000446000-memory.dmp
memory/788-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/788-5-0x0000000000400000-0x0000000000446000-memory.dmp
memory/788-4-0x0000000000400000-0x0000000000446000-memory.dmp
\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
| MD5 | 12fe11a1768d83798579faf59609bdd0 |
| SHA1 | e4f225c82d5ac1bf26a1092759326a3fc4155a59 |
| SHA256 | 485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776 |
| SHA512 | b0f88c5ba619e1f107e94ab1b900c5725a82fc53e08de97dcf989ce65a22ee6ff6d5b228b28d50d8c0fc605a5f465831d7f9129362b6894384cb50d95c36283b |
memory/788-27-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-53-0x0000000003F00000-0x00000000049BA000-memory.dmp
memory/1912-1909-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-1910-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-1937-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-1944-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-1960-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-1977-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-1990-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-2026-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-2030-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-2046-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-2068-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-2094-0x0000000000400000-0x0000000000446000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 12:04
Reported
2025-01-19 12:06
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
112s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\6831144AF18B6310\4B3A13.exe = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe:*:Enabled:@xpsp2res.dll,-70554750" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\6831144AF18B6310\4B3A13.exe = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe:*:Enabled:@xpsp2res.dll,-57951861" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\6831144AF18B6310\4B3A13.exe = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe:*:Enabled:@xpsp2res.dll,-28956246" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\6831144AF18B6310\4B3A13.exe = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe:*:Enabled:@xpsp2res.dll,-53342401" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Disables Task Manager via registry modification
Disables taskbar notifications via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wingate.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Netscape.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exit.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tc.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmasn.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regmon.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardhlp.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscan.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navengnavex15.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmsrvc.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4048 set thread context of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe |
| PID 3684 set thread context of 4464 | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | C:\Users\Admin\6831144AF18B6310\4B3A13.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Sound | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Sound\Beep = "no" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://876dnbrf6kdfc41.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://5622z09ht5d89ma.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://e55vcj7gbx2398w.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://67f2w93kjnr82r1.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://1q7cvfj8p563jr2.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://70f2297i88jotlg.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Download | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://ff1nxj18685p4i5.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://p8hu1aeg579ef8o.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://3l552wg9789d7oh.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://0ti7s046stff0uz.directorio-w.com" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe | N/A |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| N/A | N/A | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\6831144AF18B6310\4B3A13.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"
C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"
C:\Users\Admin\6831144AF18B6310\4B3A13.exe
"C:\Users\Admin\6831144AF18B6310\4B3A13.exe" 78BC2B5D
C:\Users\Admin\6831144AF18B6310\4B3A13.exe
"C:\Users\Admin\6831144AF18B6310\4B3A13.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud.ns1.dnsdynnet.com | udp |
| US | 8.8.8.8:53 | whos.amung.us | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 172.67.8.141:80 | whos.amung.us | tcp |
| US | 8.8.8.8:53 | widgets.amung.us | udp |
| US | 104.22.74.171:80 | widgets.amung.us | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.74.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.8.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.buscaid.com | udp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | 134.194.255.173.in-addr.arpa | udp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
Files
memory/4344-2-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4344-4-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4344-6-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\6831144AF18B6310\4B3A13.exe
| MD5 | 12fe11a1768d83798579faf59609bdd0 |
| SHA1 | e4f225c82d5ac1bf26a1092759326a3fc4155a59 |
| SHA256 | 485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776 |
| SHA512 | b0f88c5ba619e1f107e94ab1b900c5725a82fc53e08de97dcf989ce65a22ee6ff6d5b228b28d50d8c0fc605a5f465831d7f9129362b6894384cb50d95c36283b |
memory/4344-18-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4464-1893-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4464-1895-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4464-1897-0x0000000000400000-0x0000000000446000-memory.dmp