Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
04-05-2020 23:30
Static task
static1
Behavioral task
behavioral1
Sample
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
Resource
win10v200430
General
-
Target
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe
-
Size
69KB
-
MD5
3a601ee68000508d58ea12203449a202
-
SHA1
9068567b2b3fdae864ca9b1fb9013d0305e3ca83
-
SHA256
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5
-
SHA512
176d60567b2bcf89aa6338f3f14b22ee2592e4ea6349c0a51d67e5b7655de611c2a6e58495cab8d9c5c26deaef03ad19852a0f32cd37466fa3241d61395527b0
Malware Config
Extracted
C:\odt\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Users\Admin\Desktop\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Users\Admin\Pictures\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Users\Admin\AppData\Local\TileDataLayer\Database\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Users\Admin\AppData\Roaming\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Program Files\7-Zip\Lang\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Program Files\7-Zip\Lang\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\825A98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Signatures
-
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Suspicious behavior: EnumeratesProcesses 18380 IoCs
Processes:
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exepid process 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
explorer.exepid process 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1236 vssadmin.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags explorer.exe -
Modifies control panel 5 IoCs
Processes:
explorer.exeShellExperienceHost.exeSearchUI.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\TranscodedImageCount = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\LastUpdated = "4294967295" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Colors ShellExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Colors SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop explorer.exe -
Modifies registry class 66 IoCs
Processes:
SearchUI.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132327256683013728" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f80cb859f6720028040b29b5540cc05aab60000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 3a002e80922b16d365937a46956b92703aca08af260001002600efbe110000002ab0de50f01ed601f7b880c77c22d601f7b880c77c22d60114000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "3" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe -
Netwalker
Ransomware believed to be a variant of MailTo.
-
Suspicious use of AdjustPrivilegeToken 106 IoCs
Processes:
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe Token: SeImpersonatePrivilege 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe Token: SeBackupPrivilege 4776 vssvc.exe Token: SeRestorePrivilege 4776 vssvc.exe Token: SeAuditPrivilege 4776 vssvc.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe Token: SeCreatePagefilePrivilege 7512 explorer.exe Token: SeShutdownPrivilege 7512 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.execmd.exedescription pid process target process PID 2536 wrote to memory of 1236 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe vssadmin.exe PID 2536 wrote to memory of 1236 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe vssadmin.exe PID 2536 wrote to memory of 8640 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe notepad.exe PID 2536 wrote to memory of 8640 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe notepad.exe PID 2536 wrote to memory of 8640 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe notepad.exe PID 2536 wrote to memory of 4960 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe cmd.exe PID 2536 wrote to memory of 4960 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe cmd.exe PID 2536 wrote to memory of 4960 2536 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe cmd.exe PID 4960 wrote to memory of 10232 4960 cmd.exe taskkill.exe PID 4960 wrote to memory of 10232 4960 cmd.exe taskkill.exe PID 4960 wrote to memory of 10232 4960 cmd.exe taskkill.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
ShellExperienceHost.exeSearchUI.exeexplorer.exepid process 4204 ShellExperienceHost.exe 4204 ShellExperienceHost.exe 4756 SearchUI.exe 7512 explorer.exe 7512 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 7512 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 7512 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 17157 IoCs
Processes:
27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOCRRES.ORP 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-150.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-100.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\825A98-Readme.txt 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-400.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\825A98-Readme.txt 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Fable\fable_12h.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-black.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\WebBrowser.xaml 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5666_40x40x32.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\er_60x42.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-150_contrast-white.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\825A98-Readme.txt 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sx_16x11.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\bike.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\headbang.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ir_16x11.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNG 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.Calendar.model 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\825A98-Readme.txt 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bo_16x11.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\Movie-TVStoreLogo.scale-150.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-80_altform-unplated.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.INF 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxUnselected.svg 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-100.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small2x.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\ui-strings.js 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-125.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\emo.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\ui-strings.js 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-200.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Moon_icon.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32.png 27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of SendNotifyMessage 180 IoCs
Processes:
explorer.exepid process 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe 7512 explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 10232 taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe"C:\Users\Admin\AppData\Local\Temp\27319e75c23693399977e92b9a7ba5680a7a9db448f93b3221840c61301604d5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\825A98-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4A4.tmp.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 25363⤵
- Kills process with taskkill
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\825A98-Readme.txt1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\feb66bc064d241779cc7f2fb093eb19a /t 3016 /p 30121⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Checks SCSI registry key(s)
- Modifies control panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Modifies Installed Components in the registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies control panel
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Modifies control panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4A4.tmp.bat
-
C:\Users\Admin\Desktop\825A98-Readme.txt
-
C:\Users\Admin\Desktop\825A98-Readme.txt
-
memory/7512-1-0x0000000008420000-0x0000000008421000-memory.dmpFilesize
4KB
-
memory/7512-3-0x0000000008420000-0x0000000008421000-memory.dmpFilesize
4KB