Resubmissions
20-09-2020 09:53
200920-9rh6v6y6ga 1020-09-2020 09:09
200920-94a3wvdaln 1020-09-2020 07:26
200920-gyqrj2hcqj 1020-09-2020 07:11
200920-xak2q5j4ha 10Analysis
-
max time kernel
300s -
max time network
293s -
platform
windows10_x64 -
resource
win10 -
submitted
20-09-2020 09:09
Static task
static1
Behavioral task
behavioral1
Sample
ioxyfx.dat.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ioxyfx.dat.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
ioxyfx.dat.exe
-
Size
7.1MB
-
MD5
d5f9fa1a8dca5319432f51a5891f7794
-
SHA1
2a937328f5b99eccb9b8c13ed71d6ffb9dff4521
-
SHA256
18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055
-
SHA512
87013b63a9b153c5268784928394dfbf1eeff1b91eea6bdf187025e63d25c535e468e59a33f47d23682a386605bb314311e50a7edd1d6deb1b60f5008237a7d0
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
pid Process 4676 mpcmdrun.exe -
Zhen Executable 2 IoCs
resource yara_rule behavioral2/files/0x0009000000000687-3.dat family_zhen behavioral2/files/0x0009000000000687-4.dat family_zhen -
Zhen Ransomware
First seen in September 2020. Drops ransomnote as .ini file.
-
Executes dropped EXE 2 IoCs
pid Process 2984 ioxyfx.dat.exe 4732 x64.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\ReadClose.crw.zhen ioxyfx.dat.exe File created C:\Users\Admin\Pictures\ResetMerge.crw.zhen ioxyfx.dat.exe File created C:\Users\Admin\Pictures\GroupBlock.crw.zhen ioxyfx.dat.exe File created C:\Users\Admin\Pictures\SendInvoke.png.zhen ioxyfx.dat.exe File created C:\Users\Admin\Pictures\StopConvert.png.zhen ioxyfx.dat.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 4440 takeown.exe 4540 icacls.exe -
Loads dropped DLL 2 IoCs
pid Process 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4440 takeown.exe 4540 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QWNNGG = "\"C:\\ProgramData\\ioxyfx.dat.exe\" -ui" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\QWNNGG = "\"C:\\ProgramData\\ioxyfx.dat.exe\" -ui" ioxyfx.dat.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4 OfficeClickToRun.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16_altform-unplated.png ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\TopicPage\core.css.zhen ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10912_20x20x32.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-200.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated_contrast-white.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-100.png ioxyfx.dat.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\WideTile.scale-125.png.zhen ioxyfx.dat.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\MedTile.scale-125.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\ui-strings.js ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-125.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-125.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36_altform-unplated.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-200_contrast-white.png ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\ui-strings.js ioxyfx.dat.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt ioxyfx.dat.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\976_40x40x32.png ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectMedTile.scale-125.png.zhen ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\jm_16x11.png.zhen ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d1.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js.zhen ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.zhen ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\ui-strings.js ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.zhen ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ui-strings.js ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\3_badges_silver.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-200_contrast-white.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\drink.png ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css ioxyfx.dat.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml ioxyfx.dat.exe File created C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\VisualElements\LogoBeta.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\dk_60x42.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-100.png ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\ui-strings.js.zhen ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\light burst.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated.png ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main-selector.css.zhen ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\ui-strings.js ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js.zhen ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pn_60x42.png.zhen ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-16.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\ui-strings.js ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4642_40x40x32.png ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ad_60x42.png.zhen ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pn_60x42.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-100.png ioxyfx.dat.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\ui-strings.js ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js.zhen ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png ioxyfx.dat.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close2x.png ioxyfx.dat.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\movie.png.zhen ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png.zhen ioxyfx.dat.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js.zhen ioxyfx.dat.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Web\Wallpaper\Windows\img0.jpg ioxyfx.dat.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral2/files/0x0009000000000687-3.dat pyinstaller behavioral2/files/0x0009000000000687-4.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe -
Kills process with taskkill 7 IoCs
pid Process 992 taskkill.exe 3272 taskkill.exe 1844 taskkill.exe 2292 taskkill.exe 2156 taskkill.exe 200 taskkill.exe 1004 taskkill.exe -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\TileWallpaper = "0" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\WallpaperStyle = "10" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\OriginalWallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ConvertedWallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\ConvertedWallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,3462423,3702920,7168707,17110988,7153487,39965824,17962391,17962392,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617,41484365" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\OriginalWallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\TileWallpaper = "0" ioxyfx.dat.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WallpaperStyle = "10" ioxyfx.dat.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "10" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\TileWallpaper = "0" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\QWNNGG = "\"C:\\ProgramData\\ioxyfx.dat.exe\" -ui" ioxyfx.dat.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000806cc781f4a9bf4da341c21a890f52ab00000000020000000000106600000001000020000000f86a3a181c215f6d8df5f93ee40537abccb242e00691d6e68adf4b917a585ecc000000000e80000000020000200000005a4bb1210d8fdaa78a754a67bdaeb591700ca9d2e80ef39547f5e1f90b2b7ac5f0030000f008c028d01362e6e1a0f1a8aec34ebf9b2880a96992b1b6c2b6f4f334e1797a6a7b408eed667f372b4be5660a85bed470bb1fe717f5bcccc4f2191071cf77997567e6f1250ec6fe2ef2723ea06fe60d002ac2d58bcc5b98c509aa817275a20aba574a258040f210f9d5606e25f58bdfb8455f8ffbd352da6a36af2b47a885c00b989f25538f557e0173657164a0d1ae9dbbb77c508adef5c5d14d746f322b397a0ee224fe78e90408cad77a7a1035b9877f2bcbb2780efbb6013e9ed278c9c4c9d94066811edf56dd3b3b73e6de61915a54b05e6b2763926a7aa1cc94f2fbfab80d0ba4b6da0e422e8497b5779bb259cdeb1351be2877fa05aa61d2bdc2ddf96058c96d7aed2d5658f1a500ecb55a4bd977fa7432be85523ad5fc2eab83b34c2fbd915765c7c25b7b244905183d1f71df94f194f3d83e6580dddc874a035a49e3b3665004b07985db625d647fee4832799d40f9e54afe235cf30391e2b5edfad25da906e0b7fc4c3a9ba6a70f3f0f1f53d18f2f9b345f369a12d70ed5b0096dc4b640ae245bb0589bdc047479398d67c6953ac08ebe1a61af5c01635fb868cd975174cb6ce0b0d9d15e7dee378afd117143939fc8fe04277c9357cedbdefa6a289739f8255a9acb80752c5f8c6fb3c8e3bb71cca3693fb9c1d18f8e1667dfb625a60f54f557c6ef1a7a0d57e9895b853627f1535bf455265348cc6e71c37319dc88d60f636d655d2452b89d87dff4cc8b3c81a30204ccf4e8c5be3b7b9810cf07ccafc052a164933aaa2321f1ca2d3bac2711656fcf34feb8516ed85ff867070424c5ccad935199464a91d307b2284b102a2b5d1f796ee9bdd009cd6227a0016331d6cbea37b4168ae27a1000f1fb06fa082a55cfa9b2bb510769f416f1200e7a7518206e9c9d2c21f36b45c84a57c1358364bc67645e130c90c11883a452292a4d3ad0bda4b7f7eeaab89d521142a955ce2830080d454161ba65d292d8836d75b1b00ea55825cd841dd9a84ac0cf41af9aae86b4958a0907538433e9ce1b1d55468692fafd146ae8adf30fe29044d6e343f55b69a594f385b6cb73a05d72c5f621ace75d652ce1e97642d2efab04df1f6366a109fd96c5035b8ff10bdd967a051b6b172040971235ed897a4975bb103ff5cb6d10f9fd6b61893564c93404be84d06bd55ca2f86da88dfb1400f32c65222d56beacb4f40c491b6ce9844351570042980318738e54b309b3917669b8f75ceb0246e1ddada0d7e4670d6c49139472dc209665b2810c1425895768ef035ff16dd6884e6b03293ecdc0f9e085456385ffa72bca518362cd6eae6d97721230be87f0480142af5e81df5c706ff623a6a0c18c6f4b62fd88759772920a0872c12efe85898beaa56e268069bc3465bd0b5970cb029168522c62d62a26c88fc511400000005ceba8ce31da9f11c5e3ea693884e016185a6453f5aa1c8c10ea7c28686821298374cc0c00a393db276b09647cf033c3f807b97cfbfc468d44b9f5b6f69d8d16 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\OriginalWallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\QWNNGG = "\"C:\\ProgramData\\ioxyfx.dat.exe\" -ui" ioxyfx.dat.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018800248971410" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\OriginalWallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUzMHTehVs2ui3xDZ0BSZ6MDJ92usOZgAAEEsWjj3uhpiAfcjDoPhLhUzgABnBnAPEo1fYlsuJEC5zpy0OgsFvmj4jdMehdDBI9Tq2IxXNUT/6O3KKvnzZ58PTIa59ojeHfeY5kRg12jc/vZWfmfL3vIVAuc8vH0Pe18M6JtuwvndoOiDd5ohV8ldkoL9xMa72kn00fG/zapxcwNtN8NllU6z7s3nYze2VEK19wI5C/fngNCdkG6KxdCZjc9Lv94YF01fibhl7DRosjbwl7Oy1o4GYWcGAaTdJbHG9023cTeBXCfjAo/SqdbrU81cz+LGCYQSBMcrVwMmKWI53m1BpljKwYZFi7L8UN8IzGwE=&p=" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018800248971410 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000806cc781f4a9bf4da341c21a890f52ab0000000002000000000010660000000100002000000049e91d879fa3e7f434ff5712f499fb9a35ab5edbd449d39d146a0843c21e1677000000000e8000000002000020000000b98fec38cada93c0d3f3c16f8046ccf4be5399a2c61d4dcbeb0174a469f092fd8000000002d4aef2052abaa530d1fec5de0f3ec659922a0b56aa6e4859584f934a67adc475cf5d71646d5710c1195d80619d257d10954ade18308148b35b2ad757564fc486eaab7446a77e0e6ada2fe07dabd3c02d862c397dc000ace7b3f939b486f4ea9b1ed23ad4ccb7c490be0d70d07e6d3a1112e99b2cbbcd7047983e15d29a100c400000002e0439c52ebc43bcb084a53509eec2d085af175d3b039aafaab544022667fe4f1596e7b46aee98b08252df836031c2933e60a6254dc8a75de6732932c2ffe0a8 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\ConvertedWallpaper = "C:\\ProgramData\\1.bmp" ioxyfx.dat.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" ioxyfx.dat.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\ProgramData\\MSWINSCK.OCX" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\ProgramData\\MSWINSCK.OCX" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\ProgramData\\MSWINSCK.OCX" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\ProgramData\\MSWINSCK.OCX, 1" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} ioxyfx.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 ioxyfx.dat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 ioxyfx.dat.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe 4732 x64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2984 ioxyfx.dat.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 4536 Process not Found 4672 Process not Found 4264 Process not Found 1972 Process not Found 4760 Process not Found 184 Process not Found 892 Process not Found 3672 Process not Found 4496 Process not Found 1992 Process not Found 3424 Process not Found 2008 Process not Found 3968 Process not Found 4752 Process not Found 4620 Process not Found 2964 Process not Found 4712 Process not Found 4464 Process not Found 5068 Process not Found 4644 Process not Found 488 Process not Found 4368 Process not Found 4224 Process not Found 4704 Process not Found 4416 Process not Found 4036 Process not Found 4436 Process not Found 1904 Process not Found 2716 Process not Found 4780 Process not Found 884 Process not Found 1796 Process not Found 2888 Process not Found 1268 Process not Found 1316 Process not Found 4056 Process not Found 4292 Process not Found 3724 Process not Found 268 Process not Found 3108 Process not Found 4356 Process not Found 3696 Process not Found 1256 Process not Found 280 Process not Found 4116 Process not Found 4104 Process not Found 4872 Process not Found 4296 Process not Found 4716 Process not Found 5008 Process not Found 3804 Process not Found 3612 Process not Found 2748 Process not Found 188 Process not Found 1412 Process not Found 772 Process not Found 4788 Process not Found 1788 Process not Found 4008 Process not Found 1928 Process not Found 4684 Process not Found 5092 Process not Found 3956 Process not Found 4772 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeBackupPrivilege 2468 vssvc.exe Token: SeRestorePrivilege 2468 vssvc.exe Token: SeAuditPrivilege 2468 vssvc.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 992 taskkill.exe Token: SeDebugPrivilege 3272 taskkill.exe Token: SeDebugPrivilege 2156 taskkill.exe Token: SeDebugPrivilege 2292 taskkill.exe Token: SeDebugPrivilege 1844 taskkill.exe Token: SeDebugPrivilege 200 taskkill.exe Token: SeTakeOwnershipPrivilege 4440 takeown.exe Token: SeDebugPrivilege 4732 x64.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3652 ioxyfx.dat.exe 2984 ioxyfx.dat.exe 1540 OfficeClickToRun.exe 2208 LogonUI.exe 2208 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3652 wrote to memory of 2984 3652 ioxyfx.dat.exe 73 PID 3652 wrote to memory of 2984 3652 ioxyfx.dat.exe 73 PID 3652 wrote to memory of 2984 3652 ioxyfx.dat.exe 73 PID 2984 wrote to memory of 1004 2984 ioxyfx.dat.exe 81 PID 2984 wrote to memory of 1004 2984 ioxyfx.dat.exe 81 PID 2984 wrote to memory of 1004 2984 ioxyfx.dat.exe 81 PID 2984 wrote to memory of 992 2984 ioxyfx.dat.exe 82 PID 2984 wrote to memory of 992 2984 ioxyfx.dat.exe 82 PID 2984 wrote to memory of 992 2984 ioxyfx.dat.exe 82 PID 2984 wrote to memory of 3272 2984 ioxyfx.dat.exe 84 PID 2984 wrote to memory of 3272 2984 ioxyfx.dat.exe 84 PID 2984 wrote to memory of 3272 2984 ioxyfx.dat.exe 84 PID 2984 wrote to memory of 1844 2984 ioxyfx.dat.exe 86 PID 2984 wrote to memory of 1844 2984 ioxyfx.dat.exe 86 PID 2984 wrote to memory of 1844 2984 ioxyfx.dat.exe 86 PID 2984 wrote to memory of 2292 2984 ioxyfx.dat.exe 88 PID 2984 wrote to memory of 2292 2984 ioxyfx.dat.exe 88 PID 2984 wrote to memory of 2292 2984 ioxyfx.dat.exe 88 PID 2984 wrote to memory of 2156 2984 ioxyfx.dat.exe 90 PID 2984 wrote to memory of 2156 2984 ioxyfx.dat.exe 90 PID 2984 wrote to memory of 2156 2984 ioxyfx.dat.exe 90 PID 2984 wrote to memory of 200 2984 ioxyfx.dat.exe 92 PID 2984 wrote to memory of 200 2984 ioxyfx.dat.exe 92 PID 2984 wrote to memory of 200 2984 ioxyfx.dat.exe 92 PID 2984 wrote to memory of 4440 2984 ioxyfx.dat.exe 100 PID 2984 wrote to memory of 4440 2984 ioxyfx.dat.exe 100 PID 2984 wrote to memory of 4440 2984 ioxyfx.dat.exe 100 PID 2984 wrote to memory of 4540 2984 ioxyfx.dat.exe 103 PID 2984 wrote to memory of 4540 2984 ioxyfx.dat.exe 103 PID 2984 wrote to memory of 4540 2984 ioxyfx.dat.exe 103 PID 2984 wrote to memory of 4676 2984 ioxyfx.dat.exe 106 PID 2984 wrote to memory of 4676 2984 ioxyfx.dat.exe 106 PID 2984 wrote to memory of 4732 2984 ioxyfx.dat.exe 108 PID 2984 wrote to memory of 4732 2984 ioxyfx.dat.exe 108 PID 2984 wrote to memory of 4824 2984 ioxyfx.dat.exe 110 PID 2984 wrote to memory of 4824 2984 ioxyfx.dat.exe 110 PID 2984 wrote to memory of 4824 2984 ioxyfx.dat.exe 110 PID 2984 wrote to memory of 4836 2984 ioxyfx.dat.exe 111 PID 2984 wrote to memory of 4836 2984 ioxyfx.dat.exe 111 PID 2984 wrote to memory of 4836 2984 ioxyfx.dat.exe 111 PID 2984 wrote to memory of 4848 2984 ioxyfx.dat.exe 112 PID 2984 wrote to memory of 4848 2984 ioxyfx.dat.exe 112 PID 2984 wrote to memory of 4848 2984 ioxyfx.dat.exe 112 PID 2984 wrote to memory of 4876 2984 ioxyfx.dat.exe 115 PID 2984 wrote to memory of 4876 2984 ioxyfx.dat.exe 115 PID 2984 wrote to memory of 4876 2984 ioxyfx.dat.exe 115 PID 2984 wrote to memory of 4916 2984 ioxyfx.dat.exe 117 PID 2984 wrote to memory of 4916 2984 ioxyfx.dat.exe 117 PID 2984 wrote to memory of 4916 2984 ioxyfx.dat.exe 117 PID 2984 wrote to memory of 4952 2984 ioxyfx.dat.exe 119 PID 2984 wrote to memory of 4952 2984 ioxyfx.dat.exe 119 PID 2984 wrote to memory of 4952 2984 ioxyfx.dat.exe 119 PID 2984 wrote to memory of 4984 2984 ioxyfx.dat.exe 121 PID 2984 wrote to memory of 4984 2984 ioxyfx.dat.exe 121 PID 2984 wrote to memory of 4984 2984 ioxyfx.dat.exe 121 PID 2984 wrote to memory of 5016 2984 ioxyfx.dat.exe 123 PID 2984 wrote to memory of 5016 2984 ioxyfx.dat.exe 123 PID 2984 wrote to memory of 5016 2984 ioxyfx.dat.exe 123 PID 2984 wrote to memory of 5056 2984 ioxyfx.dat.exe 125 PID 2984 wrote to memory of 5056 2984 ioxyfx.dat.exe 125 PID 2984 wrote to memory of 5056 2984 ioxyfx.dat.exe 125 PID 2984 wrote to memory of 5116 2984 ioxyfx.dat.exe 127 PID 2984 wrote to memory of 5116 2984 ioxyfx.dat.exe 127 PID 2984 wrote to memory of 5116 2984 ioxyfx.dat.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\ioxyfx.dat.exe"C:\Users\Admin\AppData\Local\Temp\ioxyfx.dat.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\ProgramData\ioxyfx.dat.exeC:\ProgramData\ioxyfx.dat.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM MSExchange*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM Microsoft*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM ora*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM tns*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM mysql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM postgres*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:200
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /F C:\Windows\Web\Wallpaper\Windows\img0.jpg3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" C:\Windows\Web\Wallpaper\Windows\img0.jpg /grant Users:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4540
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all3⤵
- Deletes Windows Defender Definitions
PID:4676
-
-
C:\ProgramData\x64.exeC:\ProgramData\x64.exe 04298718c4ed4c0a282605560f30b8f0::72a50cf6d7d1042c8b2514f9768fa499 cfad00e8748eaea::7e9372bd97ed3aec6 25427320e7f946c9::7c3a5807a37a26a9 39d6c0440ea63b::33854dce8ddd35e877 exit3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 03⤵PID:4824
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 13⤵PID:4836
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 23⤵PID:4848
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 33⤵PID:4876
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 43⤵PID:4916
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 53⤵PID:4952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 63⤵PID:4984
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 73⤵PID:5016
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 83⤵PID:5056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 93⤵PID:5116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 103⤵PID:256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 113⤵PID:248
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 123⤵PID:3856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 133⤵PID:1168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 143⤵PID:988
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 153⤵PID:3852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 163⤵PID:252
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 173⤵PID:4080
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 183⤵PID:1712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 193⤵PID:4152
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 203⤵PID:576
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 213⤵PID:2628
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 223⤵PID:2552
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 233⤵PID:1328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 243⤵PID:4404
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 253⤵PID:4584
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 263⤵PID:4664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 273⤵PID:4720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 283⤵PID:4520
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 293⤵PID:4776
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 303⤵PID:4756
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 313⤵PID:1160
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 323⤵PID:1524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 333⤵PID:408
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 343⤵PID:1476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 353⤵PID:4320
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 363⤵PID:1380
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 373⤵PID:4108
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 383⤵PID:3668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 393⤵PID:4588
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 403⤵PID:4832
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 413⤵PID:4976
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 423⤵PID:272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 433⤵PID:4140
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 443⤵PID:2560
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 453⤵PID:4524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 463⤵PID:3784
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 473⤵PID:5060
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 483⤵PID:5096
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 493⤵PID:4784
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 503⤵PID:4940
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 513⤵PID:5104
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 523⤵PID:4948
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 533⤵PID:5088
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 543⤵PID:3036
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 553⤵PID:5048
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 563⤵PID:2564
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 573⤵PID:2424
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 583⤵PID:4680
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 593⤵PID:4560
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 603⤵PID:2408
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 613⤵PID:2612
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 623⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 633⤵PID:5080
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 643⤵PID:924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 653⤵PID:2404
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 663⤵PID:2992
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 673⤵PID:3716
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 683⤵PID:2508
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 693⤵PID:4924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 703⤵PID:1008
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 713⤵PID:4572
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 723⤵PID:5024
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 733⤵PID:4668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 743⤵PID:4768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 753⤵PID:724
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 763⤵PID:5100
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 773⤵PID:4420
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 783⤵PID:4808
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 793⤵PID:4764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c logoff 803⤵PID:4144
-
-
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1540
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad6055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2208