Analysis Overview
SHA256
fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01f
Threat Level: Known bad
The file fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Modifies firewall policy service
Modifies visibility of file extensions in Explorer
Windows security bypass
Modifies security service
Disables taskbar notifications via registry modification
Event Triggered Execution: Image File Execution Options Injection
Drops file in Drivers directory
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Drops startup file
Executes dropped EXE
Checks computer location settings
Windows security modification
Loads dropped DLL
Reads user/profile data of web browsers
Indicator Removal: Clear Persistence
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
System policy modification
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer start page
Modifies Control Panel
Modifies Internet Explorer settings
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-19 12:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 12:21
Reported
2025-01-19 12:24
Platform
win7-20241010-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\1009F805341EAB54\3302FF.exe = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe:*:Enabled:@xpsp2res.dll,-53342401" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\1009F805341EAB54\3302FF.exe = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe:*:Enabled:@xpsp2res.dll,-28956246" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\1009F805341EAB54\3302FF.exe = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe:*:Enabled:@xpsp2res.dll,-57951861" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\1009F805341EAB54\3302FF.exe = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe:*:Enabled:@xpsp2res.dll,-70554750" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Disables Task Manager via registry modification
Disables taskbar notifications via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservices.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpfw30s.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmon.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsched.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin97.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdetect.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navrunr.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2002s902.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccguide.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak5.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiav.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| N/A | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTEM.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DW20.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IELOWUTIL.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SELFCERT.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTEXPORT.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEUNATT.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWTRIG20.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSHTA.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOSYNC.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1740 set thread context of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe |
| PID 2128 set thread context of 2932 | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | C:\Users\Admin\1009F805341EAB54\3302FF.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Sound | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Sound\Beep = "no" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://gp872g06umk985e.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://91tz151dq78sj3s.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://i6tsed474ky91r3.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://vo2pd44fq4942rj.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://3tv242g5562hd86.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://xm02k5751u44yva.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://l9t65d8697qqs44.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://psf582uor3khbn3.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://0j00p0ji8s1f754.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://t78gah5076mh08c.directorio-w.com" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| N/A | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| N/A | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| N/A | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| N/A | N/A | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" | C:\Users\Admin\1009F805341EAB54\3302FF.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"
C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"
C:\Users\Admin\1009F805341EAB54\3302FF.exe
"C:\Users\Admin\1009F805341EAB54\3302FF.exe" 47779ED3
C:\Users\Admin\1009F805341EAB54\3302FF.exe
"C:\Users\Admin\1009F805341EAB54\3302FF.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud.ns1.dnsdynnet.com | udp |
| US | 8.8.8.8:53 | whos.amung.us | udp |
| US | 104.22.75.171:80 | whos.amung.us | tcp |
| US | 8.8.8.8:53 | widgets.amung.us | udp |
| US | 104.22.75.171:80 | widgets.amung.us | tcp |
| US | 8.8.8.8:53 | www.buscaid.com | udp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | cloud.ns1.dnsdynnet.com | udp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
| US | 45.33.23.183:80 | www.buscaid.com | tcp |
Files
memory/2364-12-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2364-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2364-6-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2364-15-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2364-13-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2364-4-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2364-2-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2364-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\1009F805341EAB54\3302FF.exe
| MD5 | a3ad2b121987342a92275b4ed4fccf10 |
| SHA1 | 965219ef6bac815e09842f960aeb2650dbe3e201 |
| SHA256 | fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01f |
| SHA512 | 2ebf1f1840d92860e97332309c4c14ec1bed97e67c0a8671aecf85fe9f818d23bb7070a9d79a0497b8f6e4e5c3eba9e8142c639c354480e7859e6b072928beb3 |
memory/2364-29-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-53-0x0000000003DE0000-0x0000000004E42000-memory.dmp
memory/2932-659-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-1913-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-1935-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-1940-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-1961-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-1989-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-2017-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-2031-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-2065-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2932-2084-0x0000000000400000-0x0000000000446000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 12:21
Reported
2025-01-19 12:24
Platform
win10v2004-20241007-en
Max time kernel
112s
Max time network
112s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\C49207AD5A23EC96\E79900.exe = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe:*:Enabled:@xpsp2res.dll,-28956246" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\C49207AD5A23EC96\E79900.exe = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe:*:Enabled:@xpsp2res.dll,-53342401" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\C49207AD5A23EC96\E79900.exe = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe:*:Enabled:@xpsp2res.dll,-57951861" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\C49207AD5A23EC96\E79900.exe = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe:*:Enabled:@xpsp2res.dll,-70554750" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Disables Task Manager via registry modification
Disables taskbar notifications via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellspyinstall.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antigen.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navex15.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winhlpp32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdll.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2k_76_1436.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccshtdwn.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icssuppnt.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xscan.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieDcomLaunch.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 804 set thread context of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe |
| PID 4848 set thread context of 5008 | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | C:\Users\Admin\C49207AD5A23EC96\E79900.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Sound | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Sound\Beep = "no" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Download | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://j2u62y9ze54xp71.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://z1ze3hry4wojqc9.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://s4dm8zrx034277h.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://x2fl1di5z4ajzy3.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://ns65ov7a287547j.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://347dlydy96i281r.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://0w6w120508y6cq7.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://lj65183ctm0xxyh.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://10a9ou2617g1lwk.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://wk8190lk1s52scc.directorio-w.com" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| N/A | N/A | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\C49207AD5A23EC96\E79900.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"
C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"
C:\Users\Admin\C49207AD5A23EC96\E79900.exe
"C:\Users\Admin\C49207AD5A23EC96\E79900.exe" 71E6EEDD
C:\Users\Admin\C49207AD5A23EC96\E79900.exe
"C:\Users\Admin\C49207AD5A23EC96\E79900.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud.ns1.dnsdynnet.com | udp |
| US | 8.8.8.8:53 | whos.amung.us | udp |
| US | 104.22.75.171:80 | whos.amung.us | tcp |
| US | 8.8.8.8:53 | widgets.amung.us | udp |
| US | 172.67.8.141:80 | widgets.amung.us | tcp |
| US | 8.8.8.8:53 | 171.75.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.8.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.buscaid.com | udp |
| US | 72.14.185.43:80 | www.buscaid.com | tcp |
| US | 72.14.185.43:80 | www.buscaid.com | tcp |
| US | 72.14.185.43:80 | www.buscaid.com | tcp |
| US | 72.14.185.43:80 | www.buscaid.com | tcp |
| US | 72.14.185.43:80 | www.buscaid.com | tcp |
| US | 72.14.185.43:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | 43.185.14.72.in-addr.arpa | udp |
| US | 72.14.185.43:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3512-2-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3512-4-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3512-6-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\C49207AD5A23EC96\E79900.exe
| MD5 | a3ad2b121987342a92275b4ed4fccf10 |
| SHA1 | 965219ef6bac815e09842f960aeb2650dbe3e201 |
| SHA256 | fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01f |
| SHA512 | 2ebf1f1840d92860e97332309c4c14ec1bed97e67c0a8671aecf85fe9f818d23bb7070a9d79a0497b8f6e4e5c3eba9e8142c639c354480e7859e6b072928beb3 |
memory/3512-19-0x0000000000400000-0x0000000000446000-memory.dmp
memory/5008-1891-0x0000000000400000-0x0000000000446000-memory.dmp
memory/5008-1893-0x0000000000400000-0x0000000000446000-memory.dmp
memory/5008-1894-0x0000000000400000-0x0000000000446000-memory.dmp