Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
4Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1801s -
max time network
1804s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 13:42
Static task
static1
Behavioral task
behavioral1
Sample
2019-09-02_22-41-10.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
31.bin.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3guloaderqakbotwarzonerat86920224spx1291590734339agilenetbankerbotnetcoreentitycryptonedownloaderevasionguloaderinfostealerkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
3DMark 11 Advanced Edition.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
DiskInternals_Uneraser_v5_keygen.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
ForceOp 2.8.7 - By RaiSence.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
HYDRA.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
Keygen.bin.exe
Resource
win10v20201028
asyncratazorultmodiloaderoskiraccoonc6f4c67877b4427c759f396ca4c1dff4761d3cc9discoveryevasioninfostealerpersistenceratspywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
LtHv0O2KZDK4M637.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
OnlineInstaller.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
VyprVPN.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
api.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
good.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
infected dot net installer.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
update.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
vir1.xls
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
xNet.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
1.bin.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3guloadernanocoreqakbotwarzonerat86920224spx1291590734339agilenetbankerbotnetcoreentitycryptonedownloaderevasionguloaderinfostealerkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
VPN/VyprVPN.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
VPN/xNet.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral26
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
Malware Config
Extracted
Family
formbook
Version
4.0
C2
http://www.worstig.com/w9z/
Decoy
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
Extracted
Family
gozi_rm3
Attributes
-
exe_type
loader
Extracted
Family
gozi_rm3
Botnet
86920224
C2
https://sibelikinciel.xyz
Attributes
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
rsa_pubkey.plain
serpent.plain
Extracted
Family
formbook
Version
4.1
C2
http://www.norjax.com/app/
http://www.joomlas123.com/i0qi/
Decoy
niresandcard.com
bonusscommesseonline.com
mezhyhirya.com
paklfz.com
bespokewomensuits.com
smarteralarm.info
munespansiyon.com
pmtradehouse.com
hotmobile-uk.com
ntdao.com
zohariaz.com
www145123.com
oceanstateofstyle.com
palermofelicissima.info
yourkinas.com
pthwheel.net
vfmagent.com
xn--3v0bw66b.com
comsystematrisk.win
on9.party
isnxwa.info
my-smarfreen3.com
eareddoor.com
kfo-sonnenberg.com
conceptweaversindia.online
ledgermapping.com
fashionartandmore.com
broemail.com
bs3399.com
minds4rent.com
182man.com
dionclarke.com
naakwaley.com
huoerguosicaiwu.net
langongzi.net
haz-rnatresponse.com
confidentcharm.com
yshtjs.com
phiscalp.com
walletcasebuy.com
history.fail
al208.com
kitkatwaitressing.com
fxmetrix.com
riyacan.com
garrettfitz.com
worldaspect.win
serviciodomicilio.com
yngny.com
acaes.info
jujiangxizang.com
mysteryvacay.com
extensiverevive.com
feelgoodpainting.com
dtechconsultants.com
manufacturehealth.com
khmernature.com
archaicways.com
westlakegranturismo.com
transporteselruso.com
cultclassics.net
anne-nelson.com
warminch.com
bihusomu40.win
Extracted
Family
danabot
C2
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
rsa_pubkey.plain
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link: email [email protected] YOUR ID
If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected]
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails
Extracted
Family
qakbot
Version
324.141
Botnet
spx129
Campaign
1590734339
C2
94.10.81.239:443
94.52.160.116:443
67.0.74.119:443
175.137.136.79:443
73.232.165.200:995
79.119.67.149:443
62.38.111.70:2222
108.58.9.238:993
216.110.249.252:2222
67.209.195.198:3389
84.247.55.190:443
96.37.137.42:443
94.176.220.76:2222
173.245.152.231:443
96.227.122.123:443
188.192.75.8:995
24.229.245.124:995
71.163.225.75:443
75.71.77.59:443
104.36.135.227:443
173.173.77.164:443
207.255.161.8:2222
68.39.177.147:995
178.193.33.121:2222
72.209.191.27:443
67.165.206.193:995
64.19.74.29:995
117.199.195.112:443
75.87.161.32:995
188.173.214.88:443
173.22.120.11:2222
96.41.93.96:443
86.125.210.26:443
24.10.42.174:443
47.201.1.210:443
69.92.54.95:995
24.202.42.48:2222
47.205.231.60:443
66.26.160.37:443
65.131.44.40:995
24.110.96.149:443
108.58.9.238:443
77.159.149.74:443
74.56.167.31:443
75.137.239.211:443
47.153.115.154:995
173.172.205.216:443
184.98.104.7:995
24.46.40.189:2222
98.115.138.61:443
35.142.12.163:2222
189.231.198.212:443
47.146.169.85:443
173.21.10.71:2222
24.42.14.241:443
188.27.6.170:443
89.137.77.237:443
5.13.99.38:995
93.113.90.128:443
72.179.242.236:0
73.210.114.187:443
80.240.26.178:443
85.186.141.62:995
81.103.144.77:443
98.4.227.199:443
24.122.228.88:443
150.143.128.70:2222
47.153.115.154:443
65.116.179.83:443
50.29.181.193:995
189.140.112.184:443
142.129.227.86:443
74.134.46.7:443
220.135.31.140:2222
172.78.87.180:443
24.201.79.208:2078
97.127.144.203:2222
100.4.173.223:443
59.124.10.133:443
89.43.108.19:443
216.163.4.91:443
67.83.54.76:2222
72.204.242.138:443
24.43.22.220:995
67.250.184.157:443
78.97.145.242:443
203.198.96.239:443
104.174.71.153:2222
24.28.183.107:995
197.160.20.211:443
79.117.161.67:21
82.76.239.193:443
69.246.151.5:443
78.96.192.26:443
216.201.162.158:995
108.21.107.203:443
107.2.148.99:443
189.236.218.181:443
75.110.250.89:443
211.24.72.253:443
207.255.161.8:443
162.154.223.73:443
50.104.186.71:443
100.38.123.22:443
96.18.240.158:443
108.183.200.239:443
173.187.170.190:443
100.40.48.96:443
71.80.66.107:443
67.197.97.144:443
69.28.222.54:443
47.136.224.60:443
47.202.98.230:443
184.180.157.203:2222
104.221.4.11:2222
70.173.46.139:443
213.67.45.195:2222
71.31.160.43:22
189.159.113.190:995
98.148.177.77:443
98.116.62.242:443
68.4.137.211:443
108.227.161.27:995
173.187.103.35:443
117.216.185.86:443
75.132.35.60:443
98.219.77.197:443
24.43.22.220:443
207.255.161.8:2087
72.190.101.70:443
189.160.217.221:443
207.255.161.8:32102
24.226.137.154:443
66.222.88.126:995
108.58.9.238:995
1.40.42.4:443
47.152.210.233:443
72.45.14.185:443
82.127.193.151:2222
101.108.113.6:443
98.13.0.128:443
175.111.128.234:995
175.111.128.234:443
216.137.140.236:2222
24.191.214.43:2083
72.177.157.217:443
72.29.181.77:2078
203.106.195.139:443
98.114.185.3:443
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
resource yara_rule behavioral23/memory/2284-82-0x0000000004E90000-0x0000000004E92000-memory.dmp coreentity -
Danabot x86 payload 6 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral23/files/0x000200000001995f-233.dat family_danabot behavioral23/files/0x000200000001995f-234.dat family_danabot behavioral23/files/0x000200000001995f-245.dat family_danabot behavioral23/files/0x000100000001ac57-376.dat family_danabot behavioral23/files/0x000100000001ac57-375.dat family_danabot behavioral23/files/0x000100000001ac57-380.dat family_danabot -
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
AgentTesla Payload 30 IoCs
resource yara_rule behavioral23/files/0x000100000001ab93-29.dat family_agenttesla behavioral23/files/0x000100000001ab93-31.dat family_agenttesla behavioral23/files/0x000100000001abc3-188.dat family_agenttesla behavioral23/files/0x000100000001abc3-189.dat family_agenttesla behavioral23/memory/612-204-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral23/memory/612-207-0x0000000000449E3E-mapping.dmp family_agenttesla behavioral23/memory/3964-278-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral23/memory/3964-279-0x000000000044C82E-mapping.dmp family_agenttesla behavioral23/memory/4668-331-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral23/memory/4668-332-0x000000000044CCFE-mapping.dmp family_agenttesla behavioral23/memory/4212-363-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral23/memory/4212-365-0x000000000044CF8E-mapping.dmp family_agenttesla behavioral23/memory/4736-394-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral23/memory/4736-395-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/252-433-0x000000000044A49E-mapping.dmp family_agenttesla behavioral23/memory/252-432-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral23/memory/4736-464-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-465-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-466-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-468-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-467-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-469-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-470-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-471-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-472-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-473-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-474-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-476-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-477-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral23/memory/4736-475-0x000000000044CB3E-mapping.dmp family_agenttesla -
resource yara_rule behavioral23/files/0x000100000001ab91-20.dat cryptone behavioral23/files/0x000100000001ab91-21.dat cryptone behavioral23/files/0x000100000001aba6-276.dat cryptone behavioral23/files/0x000100000001aba6-277.dat cryptone behavioral23/files/0x000100000001aba6-321.dat cryptone behavioral23/files/0x000100000001ac5a-386.dat cryptone behavioral23/files/0x000100000001ac5a-387.dat cryptone behavioral23/files/0x000100000001ac5a-404.dat cryptone behavioral23/files/0x000100000001aba6-451.dat cryptone behavioral23/files/0x000100000001ac5a-517.dat cryptone behavioral23/files/0x000100000001ac5a-527.dat cryptone behavioral23/files/0x000100000001ac5a-645.dat cryptone -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Formbook Payload 22 IoCs
resource yara_rule behavioral23/memory/3984-30-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral23/memory/3984-32-0x000000000041E2D0-mapping.dmp formbook behavioral23/memory/2680-67-0x0000000000000000-mapping.dmp formbook behavioral23/memory/4836-159-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral23/memory/4836-161-0x000000000041E270-mapping.dmp formbook behavioral23/memory/4992-175-0x0000000000000000-mapping.dmp formbook behavioral23/memory/4116-193-0x0000000000000000-mapping.dmp formbook behavioral23/memory/4508-345-0x000000000041E2D0-mapping.dmp formbook behavioral23/memory/4588-357-0x0000000000000000-mapping.dmp formbook behavioral23/memory/2680-442-0x0000000005BD0000-0x0000000005D47000-memory.dmp formbook behavioral23/memory/5104-441-0x0000000000000000-mapping.dmp formbook behavioral23/memory/4440-443-0x0000000000000000-mapping.dmp formbook behavioral23/memory/4116-447-0x0000000006030000-0x000000000617C000-memory.dmp formbook behavioral23/memory/4440-448-0x00000000E0800000-mapping.dmp formbook behavioral23/memory/4440-449-0x00000000E0800000-mapping.dmp formbook behavioral23/memory/2680-461-0x0000000002BE0000-0x0000000002CDC000-memory.dmp formbook behavioral23/memory/2680-493-0x0000000005BA0000-0x0000000005D06000-memory.dmp formbook behavioral23/memory/2680-510-0x0000000005BA0000-0x0000000005D06000-memory.dmp formbook behavioral23/memory/2680-613-0x0000000005BA0000-0x0000000005D06000-memory.dmp formbook behavioral23/memory/2680-633-0x0000000002BE0000-0x0000000002CDC000-memory.dmp formbook behavioral23/memory/2680-670-0x0000000005BA0000-0x0000000005D06000-memory.dmp formbook behavioral23/memory/2680-682-0x0000000005BA0000-0x0000000005D06000-memory.dmp formbook -
Guloader Payload 14 IoCs
resource yara_rule behavioral23/memory/4736-464-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-465-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-466-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-468-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-467-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-469-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-470-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-471-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-472-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-473-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-474-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-476-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-477-0x000000000044CB3E-mapping.dmp family_guloader behavioral23/memory/4736-475-0x000000000044CB3E-mapping.dmp family_guloader -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 3 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral23/memory/2284-87-0x00000000069B0000-0x0000000006A03000-memory.dmp rezer0 behavioral23/memory/4796-265-0x0000000007CB0000-0x0000000007D03000-memory.dmp rezer0 behavioral23/memory/5108-313-0x0000000008B60000-0x0000000008BB1000-memory.dmp rezer0 -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VF8HI = "C:\\Program Files (x86)\\Dedud\\IconCachelvh.exe" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KV-PDPGX = "C:\\Program Files (x86)\\Bkx4lor5\\vtxppxhq.exe" raserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\I25HQ = "C:\\Program Files (x86)\\Sob8\\ulrl2k.exe" wscript.exe -
Blocklisted process makes network request 64 IoCs
flow pid Process 22 2180 rundll32.exe 25 2180 rundll32.exe 29 2180 rundll32.exe 39 2180 rundll32.exe 40 416 rundll32.exe 45 2180 rundll32.exe 47 416 rundll32.exe 48 416 rundll32.exe 57 2180 rundll32.exe 58 416 rundll32.exe 83 2180 rundll32.exe 84 416 rundll32.exe 96 2180 rundll32.exe 97 416 rundll32.exe 117 2180 rundll32.exe 118 416 rundll32.exe 132 2180 rundll32.exe 133 416 rundll32.exe 155 416 rundll32.exe 169 416 rundll32.exe 308 2180 rundll32.exe 327 2180 rundll32.exe 341 2180 rundll32.exe 346 416 rundll32.exe 354 2180 rundll32.exe 361 416 rundll32.exe 362 416 rundll32.exe 363 416 rundll32.exe 364 416 rundll32.exe 369 2180 rundll32.exe 383 416 rundll32.exe 387 2180 rundll32.exe 394 416 rundll32.exe 398 2180 rundll32.exe 410 416 rundll32.exe 412 2180 rundll32.exe 418 416 rundll32.exe 421 2180 rundll32.exe 429 416 rundll32.exe 432 2180 rundll32.exe 433 2180 rundll32.exe 434 2180 rundll32.exe 443 416 rundll32.exe 453 416 rundll32.exe 554 2180 rundll32.exe 563 2180 rundll32.exe 573 2180 rundll32.exe 580 416 rundll32.exe 583 2180 rundll32.exe 590 416 rundll32.exe 591 416 rundll32.exe 596 2180 rundll32.exe 601 416 rundll32.exe 606 2180 rundll32.exe 613 416 rundll32.exe 617 2180 rundll32.exe 623 416 rundll32.exe 628 2180 rundll32.exe 633 416 rundll32.exe 637 2180 rundll32.exe 642 416 rundll32.exe 647 2180 rundll32.exe 653 416 rundll32.exe 665 416 rundll32.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 24.exe File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe -
Executes dropped EXE 55 IoCs
pid Process 940 2.exe 1308 3.exe 2392 4.exe 3656 5.exe 1172 6.exe 2116 7.exe 3828 8.exe 3984 2.exe 2284 9.exe 2372 10.exe 2252 11.exe 2300 12.exe 4080 13.exe 956 14.exe 1040 15.exe 4176 16.exe 4456 17.exe 4532 18.exe 4556 19.exe 4712 20.exe 4836 11.exe 4888 21.exe 5064 22.exe 4132 feeed.exe 612 21.exe 4568 23.exe 4796 24.exe 4864 25.exe 5108 26.exe 1036 27.exe 3964 24.exe 4492 28.exe 5116 29.exe 4892 30.exe 3012 27.exe 4384 31.exe 5056 9.exe 1112 9.exe 4668 9.exe 4616 IconCachelvh.exe 4508 IconCachelvh.exe 652 Styltendeschris.exe 4212 InstallUtil.exe 860 kicwd.exe 4120 kicwd.exe 1908 vtxppxhq.exe 4860 26.exe 2096 26.exe 4040 26.exe 412 26.exe 252 26.exe 208 27.exe 5680 kicwd.exe 396 kicwd.exe 2008 kicwd.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\FindAssert.tiff 16.exe File opened for modification C:\Users\Admin\Pictures\MergeRequest.tiff 16.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11.exe -
Checks QEMU agent file 2 TTPs 15 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 15.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 13.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 20.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Styltendeschris.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 3.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 3.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 25.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 20.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 28.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 19.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 7.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Styltendeschris.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 23.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 13.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 31.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 16.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 16.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PickerHost.url 30.exe -
Loads dropped DLL 8 IoCs
pid Process 4640 3.exe 4552 regsvr32.exe 2180 rundll32.exe 3900 13.exe 1844 20.exe 4816 regsvr32.exe 416 rundll32.exe 720 Styltendeschris.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral23/memory/3828-70-0x0000000001330000-0x000000000133F000-memory.dmp agile_net -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeed = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\feeed.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Dokumen4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Dibromob\\PRECONCE.vbs" 3.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 13.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Styltendeschris.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PANOREREDEOPTIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trainbandanigon6\\Styltendeschris.vbs" Styltendeschris.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\16.exe = "C:\\Windows\\System32\\16.exe" 16.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PANOREREDEOPTIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trainbandanigon6\\Styltendeschris.vbs" 13.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" MSBuild.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\kdhansrh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Iovtkgq\\kicwd.exe\"" explorer.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 16.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 16.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 16.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 16.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 16.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 16.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 16.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 16.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 16.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 16.exe File opened for modification C:\Users\Public\desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 16.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 16.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 16.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 16.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 16.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 16.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 16.exe File opened for modification C:\Users\Public\Music\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 16.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 16.exe File opened for modification C:\Users\Public\Documents\desktop.ini 16.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 16.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 16.exe File opened for modification C:\Users\Public\Videos\desktop.ini 16.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 16.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 16.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 16.exe File opened for modification C:\Users\Admin\Music\desktop.ini 16.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 16.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 16.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 16.exe File opened for modification C:\Users\Admin\Links\desktop.ini 16.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 16.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 16.exe File opened for modification C:\Program Files (x86)\desktop.ini 16.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 16.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 16.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 11.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 18.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum vtxppxhq.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 vtxppxhq.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Info.hta 16.exe File created C:\Windows\System32\16.exe 16.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
pid Process 1308 3.exe 4640 3.exe 1040 15.exe 4080 13.exe 3900 13.exe 4712 20.exe 1844 20.exe 4864 25.exe 4492 28.exe 4556 19.exe 2116 7.exe 652 Styltendeschris.exe 720 Styltendeschris.exe 4384 31.exe 4568 23.exe 720 Styltendeschris.exe -
Suspicious use of SetThreadContext 60 IoCs
description pid Process procid_target PID 940 set thread context of 3984 940 2.exe 88 PID 3984 set thread context of 3028 3984 2.exe 57 PID 2680 set thread context of 3028 2680 wscript.exe 57 PID 1308 set thread context of 4640 1308 3.exe 111 PID 2252 set thread context of 4836 2252 11.exe 114 PID 4532 set thread context of 3028 4532 18.exe 57 PID 4836 set thread context of 3028 4836 11.exe 57 PID 4888 set thread context of 612 4888 21.exe 122 PID 4080 set thread context of 3900 4080 13.exe 133 PID 4796 set thread context of 3964 4796 24.exe 136 PID 4992 set thread context of 3028 4992 raserver.exe 57 PID 4712 set thread context of 1844 4712 20.exe 138 PID 4116 set thread context of 3028 4116 wscript.exe 57 PID 2284 set thread context of 4668 2284 9.exe 146 PID 4616 set thread context of 4508 4616 IconCachelvh.exe 151 PID 4508 set thread context of 3028 4508 IconCachelvh.exe 57 PID 4132 set thread context of 4212 4132 feeed.exe 148 PID 652 set thread context of 720 652 Styltendeschris.exe 160 PID 4892 set thread context of 4736 4892 30.exe 168 PID 5108 set thread context of 252 5108 26.exe 178 PID 1908 set thread context of 3028 1908 vtxppxhq.exe 57 PID 2680 set thread context of 4440 2680 wscript.exe 173 PID 4992 set thread context of 4440 4992 raserver.exe 173 PID 4116 set thread context of 4440 4116 wscript.exe 173 PID 2680 set thread context of 2464 2680 wscript.exe 182 PID 2680 set thread context of 5224 2680 wscript.exe 192 PID 2680 set thread context of 5912 2680 wscript.exe 200 PID 2680 set thread context of 6024 2680 wscript.exe 202 PID 5064 set thread context of 5184 5064 22.exe 206 PID 2680 set thread context of 2064 2680 wscript.exe 213 PID 2680 set thread context of 3608 2680 wscript.exe 225 PID 2680 set thread context of 3176 2680 wscript.exe 226 PID 2680 set thread context of 3584 2680 wscript.exe 227 PID 2680 set thread context of 2212 2680 wscript.exe 228 PID 2680 set thread context of 5532 2680 wscript.exe 229 PID 2680 set thread context of 5888 2680 wscript.exe 230 PID 2680 set thread context of 4564 2680 wscript.exe 231 PID 2680 set thread context of 4624 2680 wscript.exe 232 PID 2680 set thread context of 5260 2680 wscript.exe 233 PID 2680 set thread context of 2908 2680 wscript.exe 234 PID 2680 set thread context of 5268 2680 wscript.exe 235 PID 2680 set thread context of 5236 2680 wscript.exe 236 PID 2680 set thread context of 6064 2680 wscript.exe 237 PID 2680 set thread context of 6080 2680 wscript.exe 238 PID 2680 set thread context of 6032 2680 wscript.exe 239 PID 2680 set thread context of 6112 2680 wscript.exe 240 PID 2680 set thread context of 2336 2680 wscript.exe 242 PID 2680 set thread context of 2080 2680 wscript.exe 243 PID 2680 set thread context of 5504 2680 wscript.exe 244 PID 2680 set thread context of 3808 2680 wscript.exe 245 PID 2680 set thread context of 6048 2680 wscript.exe 249 PID 2680 set thread context of 724 2680 wscript.exe 250 PID 2680 set thread context of 744 2680 wscript.exe 252 PID 2680 set thread context of 5940 2680 wscript.exe 253 PID 2680 set thread context of 5740 2680 wscript.exe 254 PID 2680 set thread context of 5280 2680 wscript.exe 255 PID 2680 set thread context of 4412 2680 wscript.exe 256 PID 2680 set thread context of 5256 2680 wscript.exe 257 PID 2680 set thread context of 752 2680 wscript.exe 258 PID 2680 set thread context of 1836 2680 wscript.exe 259 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\ui-strings.js.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js 16.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.id-2FD39CE9.[[email protected]].BOMBO 16.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms 16.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_opencarat_18.svg.id-2FD39CE9.[[email protected]].BOMBO 16.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\appuri.model 16.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.id-2FD39CE9.[[email protected]].BOMBO 16.exe File created C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\First_One’s_Free_Unearned_small.png 16.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ru_16x11.png 16.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js.id-2FD39CE9.[[email protected]].BOMBO 16.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc.id-2FD39CE9.[[email protected]].BOMBO 16.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext.png.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml.id-2FD39CE9.[[email protected]].BOMBO 16.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.id-2FD39CE9.[[email protected]].BOMBO 16.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256_altform-unplated.png 16.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp 16.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-colorize.png 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.scale-100.png 16.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\ui-strings.js.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Should.Tests.ps1 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms 16.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png 16.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.id-2FD39CE9.[[email protected]].BOMBO 16.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\shake.png 16.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\604_20x20x32.png 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72.png 16.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in-2x.png 16.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-125.png 16.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-LTR.png 16.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-150.png 16.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-200.png 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_EU-ES.respack 16.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms 16.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\jfxrt.jar.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\muscle.png 16.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\organize.svg 16.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.winmd 16.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp.id-2FD39CE9.[[email protected]].BOMBO 16.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 16.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 5424 4736 WerFault.exe 168 -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc kicwd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc kicwd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service kicwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 27.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 27.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc kicwd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service kicwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 kicwd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc kicwd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 kicwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 kicwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 kicwd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 27.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 27.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service kicwd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service kicwd.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4472 schtasks.exe 5028 schtasks.exe 4660 schtasks.exe 3732 schtasks.exe 1700 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5104 ipconfig.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4968 vssadmin.exe 1976 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5DEDBE6-29AD-11EB-B59A-E6CA00F544D8} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C32A8CF-29AF-11EB-B59A-E6CA00F544D8} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30850490" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Suggested Sites\UserID = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000091bdff559c63144a671c62d85ccffac000000000200000000001066000000010000200000000bbcdb227ebeab295e2df93ec3f320d5ff17abb087a4b76e6d643c37faea1a74000000000e800000000200002000000062691daf99b8dbdfa7dd1632c008739a509bae810c4a763bbf63dc7d8346691440000000fb1866c6879ccf9f34ef384c2a0c1a59ccad540c9e511f8418718f260612b38227c63247889ca796fcfc16315ee66abb89b8ab1ecfcdc082c939deb460a54efe40000000dc0de0074aad6350d314ee381f747785d3245c02faa43565a257e4c96f68ed66e8e657035bac5b516e880c78bd8367879954de311e0d7bc6d7da9bc171f32a9b iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "312524947" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901188ecbcbdd601 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60955a9bbabdd601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Suggested Sites iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Suggested Sites\UserIDGenCode = "12" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09E0BF90-29AF-11EB-B59A-E6CA00F544D8} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0eddea7babdd601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106a803fbcbdd601 iexplore.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 27.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 27.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 27.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 27.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 27.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4380 REG.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5944 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 940 2.exe 940 2.exe 3984 2.exe 3984 2.exe 3984 2.exe 3984 2.exe 3828 8.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 3828 8.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe 4176 16.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3656 5.exe 3028 Explorer.EXE 5184 vbc.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 940 2.exe 3984 2.exe 3984 2.exe 3984 2.exe 2680 wscript.exe 2680 wscript.exe 1308 3.exe 4532 18.exe 4532 18.exe 4532 18.exe 4836 11.exe 4836 11.exe 4836 11.exe 4080 13.exe 4992 raserver.exe 4116 wscript.exe 4992 raserver.exe 4712 20.exe 4116 wscript.exe 4616 IconCachelvh.exe 4508 IconCachelvh.exe 4508 IconCachelvh.exe 4508 IconCachelvh.exe 652 Styltendeschris.exe 860 kicwd.exe 1908 vtxppxhq.exe 1908 vtxppxhq.exe 1908 vtxppxhq.exe 2680 wscript.exe 2680 wscript.exe 4992 raserver.exe 4116 wscript.exe 4992 raserver.exe 4116 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe 2680 wscript.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4176 16.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 3964 24.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3984 2.exe Token: SeDebugPrivilege 3656 5.exe Token: SeDebugPrivilege 3828 8.exe Token: SeDebugPrivilege 2680 wscript.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeDebugPrivilege 4532 18.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeDebugPrivilege 4836 11.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeDebugPrivilege 4132 feeed.exe Token: SeDebugPrivilege 4992 raserver.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeDebugPrivilege 4116 wscript.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeDebugPrivilege 5108 26.exe Token: SeDebugPrivilege 4796 24.exe Token: SeDebugPrivilege 3964 24.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4892 30.exe 3028 Explorer.EXE 3028 Explorer.EXE 4892 30.exe 4892 30.exe 3028 Explorer.EXE 4892 30.exe 4892 30.exe 4892 30.exe 3028 Explorer.EXE 3028 Explorer.EXE 3028 Explorer.EXE 3028 Explorer.EXE 3028 Explorer.EXE 3028 Explorer.EXE 3028 Explorer.EXE 5912 iexplore.exe 5912 iexplore.exe 3608 iexplore.exe 3584 iexplore.exe 5532 iexplore.exe 4564 iexplore.exe 5260 iexplore.exe 5268 iexplore.exe 6064 iexplore.exe 6032 iexplore.exe 2336 iexplore.exe 5504 iexplore.exe 6048 iexplore.exe 744 iexplore.exe 5740 iexplore.exe 4412 iexplore.exe 752 iexplore.exe -
Suspicious use of SendNotifyMessage 10 IoCs
pid Process 4892 30.exe 4892 30.exe 4892 30.exe 3028 Explorer.EXE 4892 30.exe 4892 30.exe 4892 30.exe 3028 Explorer.EXE 3028 Explorer.EXE 3028 Explorer.EXE -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1308 3.exe 2116 7.exe 3656 5.exe 4080 13.exe 1040 15.exe 4556 19.exe 4712 20.exe 4568 23.exe 4864 25.exe 4492 28.exe 4384 31.exe 652 Styltendeschris.exe 2464 iexplore.exe 2464 iexplore.exe 4212 InstallUtil.exe 3964 24.exe 5912 iexplore.exe 5912 iexplore.exe 6024 IEXPLORE.EXE 6024 IEXPLORE.EXE 5912 iexplore.exe 5912 iexplore.exe 2064 IEXPLORE.EXE 2064 IEXPLORE.EXE 3608 iexplore.exe 3608 iexplore.exe 3176 IEXPLORE.EXE 3176 IEXPLORE.EXE 3584 iexplore.exe 3584 iexplore.exe 2212 IEXPLORE.EXE 2212 IEXPLORE.EXE 5532 iexplore.exe 5532 iexplore.exe 5888 IEXPLORE.EXE 5888 IEXPLORE.EXE 4564 iexplore.exe 4564 iexplore.exe 4624 IEXPLORE.EXE 4624 IEXPLORE.EXE 5260 iexplore.exe 5260 iexplore.exe 2908 IEXPLORE.EXE 2908 IEXPLORE.EXE 5268 iexplore.exe 5268 iexplore.exe 5236 IEXPLORE.EXE 5236 IEXPLORE.EXE 6064 iexplore.exe 6064 iexplore.exe 6080 IEXPLORE.EXE 6080 IEXPLORE.EXE 6032 iexplore.exe 6032 iexplore.exe 6112 IEXPLORE.EXE 6112 IEXPLORE.EXE 2336 iexplore.exe 2336 iexplore.exe 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE 5504 iexplore.exe 5504 iexplore.exe 3808 IEXPLORE.EXE 3808 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3028 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 640 wrote to memory of 3172 640 1.bin.exe 75 PID 640 wrote to memory of 3172 640 1.bin.exe 75 PID 3172 wrote to memory of 208 3172 cmd.exe 78 PID 3172 wrote to memory of 208 3172 cmd.exe 78 PID 3172 wrote to memory of 940 3172 cmd.exe 79 PID 3172 wrote to memory of 940 3172 cmd.exe 79 PID 3172 wrote to memory of 940 3172 cmd.exe 79 PID 3172 wrote to memory of 1308 3172 cmd.exe 80 PID 3172 wrote to memory of 1308 3172 cmd.exe 80 PID 3172 wrote to memory of 1308 3172 cmd.exe 80 PID 3172 wrote to memory of 2392 3172 cmd.exe 81 PID 3172 wrote to memory of 2392 3172 cmd.exe 81 PID 3172 wrote to memory of 2392 3172 cmd.exe 81 PID 3172 wrote to memory of 3656 3172 cmd.exe 82 PID 3172 wrote to memory of 3656 3172 cmd.exe 82 PID 3172 wrote to memory of 3656 3172 cmd.exe 82 PID 3172 wrote to memory of 1172 3172 cmd.exe 83 PID 3172 wrote to memory of 1172 3172 cmd.exe 83 PID 3172 wrote to memory of 1172 3172 cmd.exe 83 PID 3172 wrote to memory of 2116 3172 cmd.exe 85 PID 3172 wrote to memory of 2116 3172 cmd.exe 85 PID 3172 wrote to memory of 2116 3172 cmd.exe 85 PID 3172 wrote to memory of 3828 3172 cmd.exe 87 PID 3172 wrote to memory of 3828 3172 cmd.exe 87 PID 3172 wrote to memory of 3828 3172 cmd.exe 87 PID 940 wrote to memory of 3984 940 2.exe 88 PID 940 wrote to memory of 3984 940 2.exe 88 PID 940 wrote to memory of 3984 940 2.exe 88 PID 3172 wrote to memory of 2284 3172 cmd.exe 89 PID 3172 wrote to memory of 2284 3172 cmd.exe 89 PID 3172 wrote to memory of 2284 3172 cmd.exe 89 PID 3172 wrote to memory of 2372 3172 cmd.exe 90 PID 3172 wrote to memory of 2372 3172 cmd.exe 90 PID 3172 wrote to memory of 2372 3172 cmd.exe 90 PID 3028 wrote to memory of 2680 3028 Explorer.EXE 92 PID 3028 wrote to memory of 2680 3028 Explorer.EXE 92 PID 3028 wrote to memory of 2680 3028 Explorer.EXE 92 PID 3172 wrote to memory of 2252 3172 cmd.exe 93 PID 3172 wrote to memory of 2252 3172 cmd.exe 93 PID 3172 wrote to memory of 2252 3172 cmd.exe 93 PID 3172 wrote to memory of 2300 3172 cmd.exe 94 PID 3172 wrote to memory of 2300 3172 cmd.exe 94 PID 3172 wrote to memory of 2300 3172 cmd.exe 94 PID 3172 wrote to memory of 4080 3172 cmd.exe 95 PID 3172 wrote to memory of 4080 3172 cmd.exe 95 PID 3172 wrote to memory of 4080 3172 cmd.exe 95 PID 2680 wrote to memory of 2940 2680 wscript.exe 96 PID 2680 wrote to memory of 2940 2680 wscript.exe 96 PID 2680 wrote to memory of 2940 2680 wscript.exe 96 PID 3172 wrote to memory of 956 3172 cmd.exe 98 PID 3172 wrote to memory of 956 3172 cmd.exe 98 PID 3172 wrote to memory of 956 3172 cmd.exe 98 PID 3828 wrote to memory of 3672 3828 8.exe 99 PID 3828 wrote to memory of 3672 3828 8.exe 99 PID 3828 wrote to memory of 3672 3828 8.exe 99 PID 3172 wrote to memory of 1040 3172 cmd.exe 101 PID 3172 wrote to memory of 1040 3172 cmd.exe 101 PID 3172 wrote to memory of 1040 3172 cmd.exe 101 PID 3172 wrote to memory of 4176 3172 cmd.exe 102 PID 3172 wrote to memory of 4176 3172 cmd.exe 102 PID 3172 wrote to memory of 4176 3172 cmd.exe 102 PID 4176 wrote to memory of 4224 4176 16.exe 103 PID 4176 wrote to memory of 4224 4176 16.exe 103 PID 3672 wrote to memory of 4388 3672 cmd.exe 105 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\1.bin.exe"C:\Users\Admin\AppData\Local\Temp\1.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\72D4.tmp\72E5.tmp\72E6.bat C:\Users\Admin\AppData\Local\Temp\1.bin.exe"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"4⤵PID:208
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
-
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1308 -
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe5⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4640
-
-
-
C:\Users\Admin\AppData\Roaming\4.exeC:\Users\Admin\AppData\Roaming\4.exe4⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@23925⤵
- Loads dropped DLL
PID:4552 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f06⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2180
-
-
-
-
C:\Users\Admin\AppData\Roaming\5.exeC:\Users\Admin\AppData\Roaming\5.exe4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3656
-
-
C:\Users\Admin\AppData\Roaming\6.exeC:\Users\Admin\AppData\Roaming\6.exe4⤵
- Executes dropped EXE
PID:1172
-
-
C:\Users\Admin\AppData\Roaming\7.exeC:\Users\Admin\AppData\Roaming\7.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
C:\Users\Admin\AppData\Roaming\8.exeC:\Users\Admin\AppData\Roaming\8.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"6⤵
- Adds Run key to start application
PID:4388
-
-
-
C:\Users\Admin\AppData\Roaming\feeed.exe"C:\Users\Admin\AppData\Roaming\feeed.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4212 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile7⤵PID:5148
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\9.exeC:\Users\Admin\AppData\Roaming\9.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2284 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1ABC.tmp"5⤵
- Creates scheduled task(s)
PID:5028
-
-
C:\Users\Admin\AppData\Roaming\9.exe"{path}"5⤵
- Executes dropped EXE
PID:5056
-
-
C:\Users\Admin\AppData\Roaming\9.exe"{path}"5⤵
- Executes dropped EXE
PID:1112
-
-
C:\Users\Admin\AppData\Roaming\9.exe"{path}"5⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile6⤵PID:4600
-
-
-
-
C:\Users\Admin\AppData\Roaming\10.exeC:\Users\Admin\AppData\Roaming\10.exe4⤵
- Executes dropped EXE
PID:2372
-
-
C:\Users\Admin\AppData\Roaming\11.exeC:\Users\Admin\AppData\Roaming\11.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:2252 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8E6.tmp"5⤵
- Creates scheduled task(s)
PID:4472
-
-
C:\Users\Admin\AppData\Roaming\11.exe"{path}"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
-
C:\Users\Admin\AppData\Roaming\12.exeC:\Users\Admin\AppData\Roaming\12.exe4⤵
- Executes dropped EXE
PID:2300
-
-
C:\Users\Admin\AppData\Roaming\13.exeC:\Users\Admin\AppData\Roaming\13.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4080 -
C:\Users\Admin\AppData\Roaming\13.exeC:\Users\Admin\AppData\Roaming\13.exe5⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"6⤵
- Executes dropped EXE
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:652 -
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"7⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:720
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\14.exeC:\Users\Admin\AppData\Roaming\14.exe4⤵
- Executes dropped EXE
PID:956
-
-
C:\Users\Admin\AppData\Roaming\15.exeC:\Users\Admin\AppData\Roaming\15.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1040
-
-
C:\Users\Admin\AppData\Roaming\16.exeC:\Users\Admin\AppData\Roaming\16.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"5⤵PID:4224
-
C:\Windows\system32\mode.commode con cp select=12516⤵PID:4748
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:4968
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"5⤵PID:4172
-
C:\Windows\system32\mode.commode con cp select=12516⤵PID:5032
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:1976
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"5⤵PID:4940
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"5⤵PID:3148
-
-
-
C:\Users\Admin\AppData\Roaming\17.exeC:\Users\Admin\AppData\Roaming\17.exe4⤵
- Executes dropped EXE
PID:4456
-
-
C:\Users\Admin\AppData\Roaming\18.exeC:\Users\Admin\AppData\Roaming\18.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Users\Admin\AppData\Roaming\19.exeC:\Users\Admin\AppData\Roaming\19.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
C:\Users\Admin\AppData\Roaming\20.exeC:\Users\Admin\AppData\Roaming\20.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4712 -
C:\Users\Admin\AppData\Roaming\20.exeC:\Users\Admin\AppData\Roaming\20.exe5⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1844
-
-
-
C:\Users\Admin\AppData\Roaming\21.exeC:\Users\Admin\AppData\Roaming\21.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4888 -
C:\Users\Admin\AppData\Roaming\21.exe"{path}"5⤵
- Executes dropped EXE
PID:612
-
-
-
C:\Users\Admin\AppData\Roaming\22.exeC:\Users\Admin\AppData\Roaming\22.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5184
-
-
-
C:\Users\Admin\AppData\Roaming\23.exeC:\Users\Admin\AppData\Roaming\23.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4568
-
-
C:\Users\Admin\AppData\Roaming\24.exeC:\Users\Admin\AppData\Roaming\24.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Users\Admin\AppData\Roaming\24.exe"{path}"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3964 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile6⤵PID:4408
-
-
-
-
C:\Users\Admin\AppData\Roaming\25.exeC:\Users\Admin\AppData\Roaming\25.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4864
-
-
C:\Users\Admin\AppData\Roaming\26.exeC:\Users\Admin\AppData\Roaming\26.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qATVyEXYNcqQZF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp828A.tmp"5⤵
- Creates scheduled task(s)
PID:3732
-
-
C:\Users\Admin\AppData\Roaming\26.exe"{path}"5⤵
- Executes dropped EXE
PID:4860
-
-
C:\Users\Admin\AppData\Roaming\26.exe"{path}"5⤵
- Executes dropped EXE
PID:2096
-
-
C:\Users\Admin\AppData\Roaming\26.exe"{path}"5⤵
- Executes dropped EXE
PID:4040
-
-
C:\Users\Admin\AppData\Roaming\26.exe"{path}"5⤵
- Executes dropped EXE
PID:412
-
-
C:\Users\Admin\AppData\Roaming\26.exe"{path}"5⤵
- Executes dropped EXE
PID:252
-
-
-
C:\Users\Admin\AppData\Roaming\27.exeC:\Users\Admin\AppData\Roaming\27.exe4⤵
- Executes dropped EXE
PID:1036 -
C:\Users\Admin\AppData\Roaming\27.exeC:\Users\Admin\AppData\Roaming\27.exe /C5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3012
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exe5⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:860 -
C:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exe /C6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4120
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Adds Run key to start application
PID:4440 -
C:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exe" /W7⤵
- Executes dropped EXE
PID:2008
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn {443ECB41-6BF9-43C7-8A29-80B91C594C83} /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exe\"" /sc HOURLY /mo 5 /F7⤵
- Creates scheduled task(s)
PID:1700
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nznjchi /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I nznjchi" /SC ONCE /Z /ST 14:50 /ET 15:025⤵
- Creates scheduled task(s)
PID:4660
-
-
-
C:\Users\Admin\AppData\Roaming\28.exeC:\Users\Admin\AppData\Roaming\28.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Users\Admin\AppData\Roaming\29.exeC:\Users\Admin\AppData\Roaming\29.exe4⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\29.dll f1 C:\Users\Admin\AppData\Roaming\29.exe@51165⤵
- Loads dropped DLL
PID:4816 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\29.dll,f06⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:416
-
-
-
-
C:\Users\Admin\AppData\Roaming\30.exeC:\Users\Admin\AppData\Roaming\30.exe4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"5⤵
- Drops file in Drivers directory
- Adds Run key to start application
PID:4736 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f6⤵
- Modifies registry key
PID:4380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 15366⤵
- Drops file in Windows directory
- Program crash
PID:5424
-
-
-
-
C:\Users\Admin\AppData\Roaming\31.exeC:\Users\Admin\AppData\Roaming\31.exe4⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4384
-
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:636
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\2.exe"3⤵PID:2940
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4992 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\18.exe"3⤵PID:4700
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4116 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\11.exe"3⤵PID:4724
-
-
-
C:\Program Files (x86)\Dedud\IconCachelvh.exe"C:\Program Files (x86)\Dedud\IconCachelvh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4616 -
C:\Program Files (x86)\Dedud\IconCachelvh.exe"C:\Program Files (x86)\Dedud\IconCachelvh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4508
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵PID:4588
-
-
C:\Program Files (x86)\Bkx4lor5\vtxppxhq.exe"C:\Program Files (x86)\Bkx4lor5\vtxppxhq.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1908
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Gathers network information
PID:5104
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5084
-
C:\Users\Admin\AppData\Roaming\27.exeC:\Users\Admin\AppData\Roaming\27.exe /I nznjchi1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:208 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵PID:5800
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵PID:5872
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵PID:5980
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵PID:6136
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵PID:5292
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵PID:5524
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵PID:1280
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵PID:1860
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq" /d "0"2⤵PID:3060
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exe2⤵
- Executes dropped EXE
PID:5680 -
C:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Iovtkgq\kicwd.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Roaming\27.exe"2⤵PID:3508
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
PID:5944
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN nznjchi2⤵PID:5780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2464 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:82945 /prefetch:22⤵PID:5224
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5912 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5912 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:6024
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5912 CREDAT:82947 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3608 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:3176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3584 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:2212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5532 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5532 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:5888
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4564 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4564 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:4624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5260 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5260 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:2908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5268 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5268 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5236
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6064 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6064 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:6080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6032 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6032 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:6112
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2336 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
PID:2080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5504 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5504 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:6048 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6048 CREDAT:82945 /prefetch:22⤵PID:724
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:744 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:82945 /prefetch:22⤵PID:5940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:5740 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5740 CREDAT:82945 /prefetch:22⤵PID:5280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:4412 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4412 CREDAT:82945 /prefetch:22⤵PID:5256
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:752 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
PID:1836
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
2File Deletion
2Modify Registry
7Scripting
1Virtualization/Sandbox Evasion
2