Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
926s -
max time network
936s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:42
Static task
static1
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
-
Size
1.1MB
-
MD5
2eb3ce80b26345bd139f7378330b19c1
-
SHA1
10122bd8dd749e20c132d108d176794f140242b0
-
SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
-
SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
Score
10/10
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
Clears Windows event logs 1 TTPs
-
Blacklisted process makes network request 11 IoCs
flow pid Process 416 4088 rundll32.exe 428 4088 rundll32.exe 736 4088 rundll32.exe 741 4088 rundll32.exe 773 4088 rundll32.exe 781 4088 rundll32.exe 824 4088 rundll32.exe 835 4088 rundll32.exe 847 4088 rundll32.exe 859 4088 rundll32.exe 870 4088 rundll32.exe -
Executes dropped EXE 2 IoCs
pid Process 3320 lpsprt.exe 832 F6AA.tmp -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ConnectStep.tiff rundll32.exe File opened for modification C:\Users\Admin\Pictures\ConvertRestore.tiff rundll32.exe File opened for modification C:\Users\Admin\Pictures\ReadUndo.tiff rundll32.exe File opened for modification C:\Users\Admin\Pictures\RenameLock.tiff rundll32.exe File opened for modification C:\Users\Admin\Pictures\ConfirmOpen.tiff rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe" lpsprt.exe -
JavaScript code in executable 28 IoCs
resource yara_rule behavioral22/files/0x000100000001ac3d-47.dat js behavioral22/files/0x000300000001a9d3-57.dat js behavioral22/files/0x000100000001ac1a-68.dat js behavioral22/files/0x000100000001ac17-69.dat js behavioral22/files/0x000100000001ac43-67.dat js behavioral22/files/0x000100000001ac19-70.dat js behavioral22/files/0x000100000001ac15-66.dat js behavioral22/files/0x000100000001ac16-71.dat js behavioral22/files/0x000100000001ac18-72.dat js behavioral22/files/0x000100000001ac35-73.dat js behavioral22/files/0x000100000001ac34-74.dat js behavioral22/files/0x000100000001ac21-89.dat js behavioral22/files/0x000100000001ac2c-97.dat js behavioral22/files/0x000100000001ac64-156.dat js behavioral22/files/0x000100000001ac9a-163.dat js behavioral22/files/0x000100000001aca9-178.dat js behavioral22/files/0x000100000001acde-215.dat js behavioral22/files/0x000100000001acfa-231.dat js behavioral22/files/0x000100000001acd5-214.dat js behavioral22/files/0x000100000001acce-208.dat js behavioral22/files/0x000100000001acd0-207.dat js behavioral22/files/0x000100000001ace6-232.dat js behavioral22/files/0x000100000001acf4-233.dat js behavioral22/files/0x000100000001acfc-234.dat js behavioral22/files/0x000100000001ad01-258.dat js behavioral22/files/0x000100000001acfd-250.dat js behavioral22/files/0x000100000001ad2a-269.dat js behavioral22/files/0x000c00000001a921-293.dat js -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\HjuTygFcvX [email protected] File created C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_259306046 [email protected] File created C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe [email protected] File opened for modification C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe [email protected] -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\F6AA.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2808 schtasks.exe 3012 schtasks.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "125" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "896" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "125" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "244" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1109" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d0000000002000000000010660000000100002000000005c3f6815ed4193b5e4781826d214c1b0a332d809602cc98fb3d77e8106ac1f6000000000e800000000200002000000072bc6eb2a0cec601c471676a02b2659ad9efaae51f1882772b80786f2d331bb8c00000000cc555b8433d244671a7a5ec487e2815062eb5661d8c70a12a89d779ab5d4d208fa4c1cc7883030ce0997d566fe7b27d06cacd6fe6825e8bb80f230a100ab739915a5fbcebd2df7158423603893ede603fb1cde8f76d53c0c14719578ef6f1c51fc2a84a23fbf497cfad2254972285ed462114d8404ea7a3ceeb5be70956b027b52c4b64e2511a1e5a40ba870d27188d1b708a183c57a82f1f51fcd6f239029e7b09755d53d17bc2db4ce70d5efac1aac988a14b4427ee3a04ae08f6e123543140000000e03ca1f4da420180ed19fd7ea68a35cd237b6e7a58c41515b03c44bf5305275c95627b77b17aa569d90822849eb1594c3891dcc8f957047679c2941d80962f9e iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "271" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "635060432" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2005b4b09bc0d601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "312841093" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "1094" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "1094" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "1094" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "71" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000005f60fdb49205ba5073a2d23c3d5354cdd3e6294bff856aeb671ef0eee361fb5b000000000e8000000002000020000000533d36707ce786dfb0314d119b0879339eebef63326de76ced295d06efcd73362000000026807f62ee47d83e0cf15a02a4c17276df667727c523bfd77008e2892a4e79bf40000000b2564fb3f5b133513f99a794c400b88cdc558e96d65206145b047f80315ab4b37e5c3bb269642a2a6eddc36c6d7016b2cc69a87610622283e424579a6a502116 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1074" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000005c15419b291db3a3f2cf79d77c131423e1637158c76a7d9c36ad9a0508dbbd8f000000000e8000000002000020000000d34da6d5d14dcd08c7b00ffcf7d9577103d192c3cbce250e031ebda48b0f27b990010000a4b71e7131ad657e1c5ddc5a2cbf0c2cb6ec16d7f474ce5844d26742192bd9724c7c5ceeeb54cc48399ef65d07faabb42e7025eb33b7d14af4494a3c3110cd38c9bab8db70ccb117b297813b4cfa407859960f0706a320cdb9b09227b81bfdfdc7ff2039464219dd982397ad7af7efbff2da33c334f2b37b3fd7ad5898016d76ef1707d6d26e4ace07727800065b90f888d464936b65489d3f9b25c7f184e1e9ac541e1c19178139547a4ebfe4622a0f27fd33ae5c6fd361e63646667fda42ad0cad7b9187b269917ed4900d3f6b8daad2bf0e2266945dd5aa8287378a54759cb9254f0e954403b0920c9a12d105986e33570f7bf36640bc7f5b075164c8ed6236b8141bc39e2630abe159d1c4d8387cd33a78b9d9b29cbd59269755efb98f269cc83fd6d26b6bf8a820331c49858e156f11b67cf12aa518c95de15479b16cee9b041c0d05ef0109d8cd2a6906f75a8d22d55a25deff13e34d7394b6952c0a709fbc71c358ea6caebcd7ca4b236624f04bb5a3a388e91b65f0bce6c9f21fb88888351ba711c0aba4f80b0c0bd28347a340000000557208cd20a247eca0cc9b94492e0a1b46dad543af3ff017815ae5ad96ec13c62a94838310b1e800686e17022de63ce3baa1a63497d7ca68df8a3839f4e3fa73 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "125" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "896" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "637873198" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "312809101" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1074" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "635060432" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5182082B-2C8E-11EB-BEBD-6E25161A58E2} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "91" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\hotjar.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "244" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "244" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "71" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000008beb84eea6600c8678f1f314b4f5b261fccb5ff7098e3412109e45e331172565000000000e8000000002000020000000c4a5f8ca4b106537426f7be1ff7a1444e06a84bcb067ed8d9498890e9e4c83d4c0000000966d1beccc30aeec8cf3e80ec5de0a2d30625053b3ca0b6ebf5e9ad6bf42d7b5034075363aaeb18ba69c1e8d93261936c50b981ec7028c6e32b22cbe229e7adf6dad6f18c0d739f4abb4208975a32c9a584e28ebd2ba953f676d2ba5d49754f4002d888ace32d317d810f63d71076911cd80b4f7cd9dac85121bcbc9ef40c45a0a54a6974eb49b0f547d002247cad8437a160e1c6a57d232a022dc7020eee234c2ccaec27567eda8267a2bd68d43273a4a6a8ad09b7a4a78c2930caa15f1f97b40000000448fa344edd3a4bd37667c124db196abe88321b8462a53f53fa37d4dcc1d7c8e98b030c829501c5fb8217f12aad650a590e4ddc61d9545587b28b135cf62360d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "1074" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1094" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d00000000020000000000106600000001000020000000a76a7ebd515e112d6f00d8898bb44c14d41c27dfb271e5eeaec1cf14a28a7c50000000000e8000000002000020000000b66bacd9c40b2a3dc368fe92e7e5456fd0a6ed43a7874d7ccfb06a87aca8934390010000f6cdfc6ad10b90e140170db44f4e4455febe3febaaac1103f6879d937cde61dea8fe43aecc8cd9ca74d9aca9e61f81b5dd6742396c6eb67ee3eef587b90c619f5f4de5e838a4b3c90dba4190530e45d7ddcf891e99f019602147bb6917579130403c69435529d32c9a3de60e4122af6d341d5ba517b8d80a1ccd58cbb3a95f595f49bf1145fdfe22c94ac1733e0de2ebab6b959faf3dacdf69298100db97451f9bac464d11c532e9fdff681f2b4608a30d0798729c7aa57b9a5ce100181171aa16dd19cec000f6ca3569d0020f58b894daba441974677be1926d0044b4882fca58125a36a5a335db937b33cee1c642f695bf947808449804de47d5961ffd1f2c139097b9c965f742bda28d7971a032b603d7775a6b33766639bf9b12a5c2eaa2439fad0703aa52859f397a7a840cf59d2b15a2be07bc928256d67082f22cd14f585d60eeff8653ad6c9c806d54672be2b6f5392cb2b6c14911f3b02f3bb0744592077b607c1a28001fdd573bf9f87485bb108118af883e2b51c48e5ef5b6eb2ffa5c9d587786cf64217405d22cc98325400000000062963e307e8bf9c07a715104b19fe94a416732d9f6a98badb19bf979e7512889ee9102986ac9d85934fa78a33c3309de61cabd892e5f4776b5d46ec7ca8131 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "1094" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "35" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "112" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d00000000020000000000106600000001000020000000e20b0689d9f336081b1cf448318987df69dfb09241143b3890020ae00ea79c06000000000e80000000020000200000000f05f04af0fa267d72832e6d0f22c25075e2788c975478eefbe19ad144d478ca200000008f85812ab02a76650b913254566cd5cff25ddd3c4dcd2759d6dcf1936c8b595b40000000777a2c8aacdfae08220a17ea7d44cb4c908a1b0ac20d5c2c583b2999abae607e258561b194f5417252fe8ee8730b7e6ffb5cd5f61b0f68806a685e45ca29f57e iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a07020409bc0d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "71" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "112" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "271" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30851227" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a930289bc0d601 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "271" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d0000000002000000000010660000000100002000000004c799e4267eac17c76f4244f704ed6ec042f47fa9ce433f745ee80722496f9c000000000e8000000002000020000000b20b7e516255388fb756391ade4ee1dbf2b6ab788f218b0641a97e09bb7f51dd2000000063894fc821be586b031f315d01cc0f1649c303098753bf36c54f439584b6a64440000000c9b44b7c803c7ac6dd7d6e3acddfd9403792f5e65d45e854a5ad4d52161de88bfe9050dcd2a16bad3d5afac8b9f5314cb71a439c95da7cd874eaa6aa1946a268 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "91" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30851227" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "1109" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "35" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "1074" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "1109" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "1109" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "1109" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "896" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312792507" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1109" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\doubleclick.net IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30851227" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d0000000002000000000010660000000100002000000089f31c9782ee602503d2e194ff30298bcb1e551aedba475f46a7d04ff48560ee000000000e80000000020000200000000510ef9228cd98e1a914e4c26a4947faf0ddc97fb784bc55eed9eef3091ac015200000001e0c020ffae51809e5455dcfd389384aacd96debf0ed29708ff80eaa18bddc784000000013ca3c3eea5b40d1d3603f6eb924f99a525abed4c88c9ea898bd32a5508ba9cdd75fdfea08d2d46aeaaba97219a1361cf3b8f16e3522b421c82b57df15c98fa7 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1094" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\doubleclick.net\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "91" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c00c27289bc0d601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "1074" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.porntube.com\ = "35" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "112" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\hotjar.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\porntube.com\Total = "1074" IEXPLORE.EXE -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 832 F6AA.tmp 832 F6AA.tmp 832 F6AA.tmp 832 F6AA.tmp 832 F6AA.tmp 832 F6AA.tmp 4088 rundll32.exe 4088 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3320 lpsprt.exe -
Suspicious use of AdjustPrivilegeToken 66 IoCs
description pid Process Token: SeShutdownPrivilege 4088 rundll32.exe Token: SeDebugPrivilege 4088 rundll32.exe Token: SeTcbPrivilege 4088 rundll32.exe Token: SeDebugPrivilege 832 F6AA.tmp Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeShutdownPrivilege 2100 IEXPLORE.EXE Token: SeCreatePagefilePrivilege 2100 IEXPLORE.EXE Token: SeSecurityPrivilege 1880 wevtutil.exe Token: SeBackupPrivilege 1880 wevtutil.exe Token: SeSecurityPrivilege 720 wevtutil.exe Token: SeBackupPrivilege 720 wevtutil.exe Token: SeSecurityPrivilege 152 wevtutil.exe Token: SeBackupPrivilege 152 wevtutil.exe Token: SeSecurityPrivilege 1924 wevtutil.exe Token: SeBackupPrivilege 1924 wevtutil.exe -
Suspicious use of FindShellTrayWindow 108 IoCs
pid Process 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3408 iexplore.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3408 iexplore.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3408 iexplore.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3408 iexplore.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3408 iexplore.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe -
Suspicious use of SendNotifyMessage 103 IoCs
pid Process 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe 3320 lpsprt.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3408 iexplore.exe 3408 iexplore.exe 2540 IEXPLORE.EXE 2540 IEXPLORE.EXE 2540 IEXPLORE.EXE 2540 IEXPLORE.EXE 3408 iexplore.exe 3408 iexplore.exe 1520 IEXPLORE.EXE 1520 IEXPLORE.EXE 1520 IEXPLORE.EXE 1520 IEXPLORE.EXE 3408 iexplore.exe 3408 iexplore.exe 2100 IEXPLORE.EXE 2100 IEXPLORE.EXE 2100 IEXPLORE.EXE 2100 IEXPLORE.EXE 3408 iexplore.exe 3408 iexplore.exe 2400 IEXPLORE.EXE 2400 IEXPLORE.EXE 2400 IEXPLORE.EXE 2400 IEXPLORE.EXE 3408 iexplore.exe 3408 iexplore.exe 2540 IEXPLORE.EXE 2540 IEXPLORE.EXE 2540 IEXPLORE.EXE 2540 IEXPLORE.EXE 700 LogonUI.exe -
Suspicious use of WriteProcessMemory 71 IoCs
description pid Process procid_target PID 1156 wrote to memory of 3320 1156 [email protected] 73 PID 1156 wrote to memory of 3320 1156 [email protected] 73 PID 4068 wrote to memory of 4088 4068 rundll32.exe 83 PID 4068 wrote to memory of 4088 4068 rundll32.exe 83 PID 4068 wrote to memory of 4088 4068 rundll32.exe 83 PID 4088 wrote to memory of 3268 4088 rundll32.exe 84 PID 4088 wrote to memory of 3268 4088 rundll32.exe 84 PID 4088 wrote to memory of 3268 4088 rundll32.exe 84 PID 3268 wrote to memory of 2372 3268 cmd.exe 86 PID 3268 wrote to memory of 2372 3268 cmd.exe 86 PID 3268 wrote to memory of 2372 3268 cmd.exe 86 PID 4088 wrote to memory of 584 4088 rundll32.exe 87 PID 4088 wrote to memory of 584 4088 rundll32.exe 87 PID 4088 wrote to memory of 584 4088 rundll32.exe 87 PID 584 wrote to memory of 2808 584 cmd.exe 89 PID 584 wrote to memory of 2808 584 cmd.exe 89 PID 584 wrote to memory of 2808 584 cmd.exe 89 PID 4088 wrote to memory of 204 4088 rundll32.exe 90 PID 4088 wrote to memory of 204 4088 rundll32.exe 90 PID 4088 wrote to memory of 204 4088 rundll32.exe 90 PID 4088 wrote to memory of 832 4088 rundll32.exe 92 PID 4088 wrote to memory of 832 4088 rundll32.exe 92 PID 204 wrote to memory of 3012 204 cmd.exe 94 PID 204 wrote to memory of 3012 204 cmd.exe 94 PID 204 wrote to memory of 3012 204 cmd.exe 94 PID 3320 wrote to memory of 3408 3320 lpsprt.exe 96 PID 3320 wrote to memory of 3408 3320 lpsprt.exe 96 PID 3408 wrote to memory of 2540 3408 iexplore.exe 97 PID 3408 wrote to memory of 2540 3408 iexplore.exe 97 PID 3408 wrote to memory of 2540 3408 iexplore.exe 97 PID 3320 wrote to memory of 2020 3320 lpsprt.exe 98 PID 3320 wrote to memory of 2020 3320 lpsprt.exe 98 PID 3408 wrote to memory of 1520 3408 iexplore.exe 99 PID 3408 wrote to memory of 1520 3408 iexplore.exe 99 PID 3408 wrote to memory of 1520 3408 iexplore.exe 99 PID 3320 wrote to memory of 3228 3320 lpsprt.exe 100 PID 3320 wrote to memory of 3228 3320 lpsprt.exe 100 PID 3408 wrote to memory of 2100 3408 iexplore.exe 101 PID 3408 wrote to memory of 2100 3408 iexplore.exe 101 PID 3408 wrote to memory of 2100 3408 iexplore.exe 101 PID 3320 wrote to memory of 3504 3320 lpsprt.exe 103 PID 3320 wrote to memory of 3504 3320 lpsprt.exe 103 PID 3408 wrote to memory of 2400 3408 iexplore.exe 104 PID 3408 wrote to memory of 2400 3408 iexplore.exe 104 PID 3408 wrote to memory of 2400 3408 iexplore.exe 104 PID 3320 wrote to memory of 1384 3320 lpsprt.exe 105 PID 3320 wrote to memory of 1384 3320 lpsprt.exe 105 PID 4088 wrote to memory of 3444 4088 rundll32.exe 106 PID 4088 wrote to memory of 3444 4088 rundll32.exe 106 PID 4088 wrote to memory of 3444 4088 rundll32.exe 106 PID 3444 wrote to memory of 1880 3444 cmd.exe 108 PID 3444 wrote to memory of 1880 3444 cmd.exe 108 PID 3444 wrote to memory of 1880 3444 cmd.exe 108 PID 3444 wrote to memory of 720 3444 cmd.exe 109 PID 3444 wrote to memory of 720 3444 cmd.exe 109 PID 3444 wrote to memory of 720 3444 cmd.exe 109 PID 3444 wrote to memory of 152 3444 cmd.exe 110 PID 3444 wrote to memory of 152 3444 cmd.exe 110 PID 3444 wrote to memory of 152 3444 cmd.exe 110 PID 3444 wrote to memory of 1924 3444 cmd.exe 111 PID 3444 wrote to memory of 1924 3444 cmd.exe 111 PID 3444 wrote to memory of 1924 3444 cmd.exe 111 PID 3444 wrote to memory of 1512 3444 cmd.exe 112 PID 3444 wrote to memory of 1512 3444 cmd.exe 112 PID 3444 wrote to memory of 1512 3444 cmd.exe 112 PID 4088 wrote to memory of 3580 4088 rundll32.exe 113 PID 4088 wrote to memory of 3580 4088 rundll32.exe 113 PID 4088 wrote to memory of 3580 4088 rundll32.exe 113 PID 3580 wrote to memory of 3832 3580 cmd.exe 116 PID 3580 wrote to memory of 3832 3580 cmd.exe 116 PID 3580 wrote to memory of 3832 3580 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.porntube.com3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:82945 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2540
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:82951 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:82954 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:82960 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.viagra.com3⤵PID:2020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.porntube.com3⤵PID:3228
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.viagra.com3⤵
- Modifies Internet Explorer settings
PID:3504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.porntube.com3⤵PID:1384
-
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 151⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1223011611 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1223011611 && exit"4⤵
- Creates scheduled task(s)
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 06:59:003⤵
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 06:59:004⤵
- Creates scheduled task(s)
PID:3012
-
-
-
C:\Windows\F6AA.tmp"C:\Windows\F6AA.tmp" \\.\pipe\{3EE1A54B-22CB-441B-A17F-37B88E2802C4}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Setup4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl System4⤵
- Suspicious use of AdjustPrivilegeToken
PID:720
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Security4⤵
- Suspicious use of AdjustPrivilegeToken
PID:152
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Application4⤵PID:1924
-
-
C:\Windows\SysWOW64\fsutil.exefsutil usn deletejournal /D C:4⤵PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:3580
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN drogon4⤵PID:3832
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad7055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:700