dmalocker | adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1

Analysis

max time kernel
17s
max time network
10s
platform
windows7_x64
resource
win7v20210410
submitted
19-06-2021 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Size

1.4MB
MD5

4fa5fd0b35ba44e25b87747c1ba710f6
SHA1

dcbcb67d4723312f274627a2a22861f759d032a1
SHA256

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1
SHA512

d0f87394722e6f842e74a117f77e4cb579418bec18ece2efbd6feb4bee6facb0bb69d2153fb6c70b4584b389eee77f15c0f561f21b26e08c421fe727b56b7d13

Score

10^/10

dmalocker hawkeye locky locky_osiris wannacry discovery keylogger persistence ransomware spyware stealer trojan worm

Malware Config

Signatures

DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
ransomware dmalocker
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\Inf\SOCFG.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\str.sys	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\RVDPORT.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\config.json	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\ver.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\str.sys	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\ver2.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\etc\Hosts	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\DETPORT.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\DETPORT.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\RVDPORT.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\config.json	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\Inf\SOCFG.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\AUTORUN.BAK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\AUTORUN.BAK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\ISPUPDRV.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\ISPUPDRV.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\ver.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\ver2.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppointmentApis.Lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logmanager.exe.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0zWLc8kNJcUtkkAEjNlUYKQumKdayZ.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hdry.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\srg.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\displaymedia.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vol.vbe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sfxcv.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vcbvc.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wr9RqAY2.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfghjk.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgisdp.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2vC7R7Po.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwm.exe.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gato.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stst.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IwiX.com.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_ME.hta	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EhStorAuthn.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxZbEWSnqt.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\refsutil.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\googles.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSmEgyoAcnw5g38C.exe.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AB8EzBzZ.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gn46.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrfpo.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rasphone.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smiWVuKjWE.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufyd.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systm.vbe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msword.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antomarvis.exe.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ty46.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csAiprbfef.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\visualPrint.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dth54.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxMZHjywsI.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apps.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdfnme.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodga.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpuEtzbXyw.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DW_START.LNK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DEEWOO.LNK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgcg.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\expls.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jyfyfffyy.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PIPLXE.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LYCOS SIDESEARCH.LNK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdxgbxcve.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwcreator.Lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sbR5JGVggDjZ4CKC.exe.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BxjUOFQUZX.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AHZSVhvnGm.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SCANDISK.LNK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ofiyh.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsea.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\folder.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobread.exe.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SYSTEM32\DLL1.tmp	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\UpdateWuaucltHelper	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\CRT.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\msbb_kyf.dat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\INTERNET.FNE	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\CRT.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Home lan application	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\AUTORUN.INI	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WinRing0x64.sys	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Updates\UxfDWBHJe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Free Advanced Tuneup utilities for Windows	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Msmmvs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Win Direct Tools	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\MSShell32	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\msbb.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WindowsInput.InstallState	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Encrypter	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WindowsInput.exe.config	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\BrowserStorage	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\MNU Net libraries	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\net rest application	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\System Network Extensions	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Config\Systemprofile\Menú Inicio\Programas\Security Tool.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\MiscfostNsi	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Windows Network	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\MsWinToken	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\NativeLogger	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\VUYOSIVA	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Blanktegn7	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\AVG32XL.KDX	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\s.ico	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\processing	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\HEURICCOMMAND.BAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\MODEL.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\program	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\SUWOVEKU	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Windows\System32\Winsh320	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\SYSTEMS12.ICO	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\DMLCONF.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\SPI.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\System\SystemDonezs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Capite7	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Ms nocsys tools	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\___u	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\cIOOhjLCvz	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\fQfPixvUpX	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\ICONG.ICO	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Msnetc	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Winsys.bat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\SX.HTM	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Cache System Extension	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\unregmp2	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Restore\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\FreeMonoLibrary	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\NvNgxUpdateCheckDaily_{D5BF6DE4-6DE4-6DE4-6DE4-D5BF6DE46DE4}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\RUNONCE.T__	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\UDP Service	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Rosinbrdet5	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\WinNetworkTask	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\___m	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\DLL3.tmp	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\SYS.REG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Adasdsadas3id	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Windows .Net library core	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Messenger Plus! Live\Scripts\hola\hola.js	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\installESP.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Adobe\pdf.exe.config	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Messenger\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Internet Explorer\ACPI.VXD	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\JustClicking\home.bat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Internet Explorer\JS.MUI	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Adobe\pdf.ex_	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Movie Maker\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\VERSION.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Assembly\System.exe.config	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\searchplugins\fcmdSrch.xml	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Common Files\Systems\PINKS.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Internet Explorer\ONLO0R.OBK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\X.BMP	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\WebRebates4\Websrebates\Webtrebates\toprC0.htm	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Adobe\pdf.exex	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Outlook Express\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\NetMeeting\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Lycos\Sidesearch\OFFLINE.HTM	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Internet Explorer\DMLCONF.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\LOGFILE32.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Windows .Net core library.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\notpad.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Downloaded Program Files\ShellInstaller.INF	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\ÂÌ»¯.bat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Inf\TWAINTEC.INF	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\ZSMSCC16.INI	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Power saves tools for windows.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\hackshen.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Microsoft System Protect.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\IE-HOOK.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Ms system cache service.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\autorun.inf	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\MY.CSS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Setup\Extensionm.dll	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SoftwareDistribution\mstoble.cab	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\MSTECF.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\iexplore.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\NetSys.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\System\setup87.inf	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\180ax.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\HCF605.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\System\gzip.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\instsrv.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\infosapi.dll	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\PCSEARCH.REG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\CleanMemoryWinTask.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Gpu Tools.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\WwANsvc.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\O.REG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\WEB\OSLOGO.BMP	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Ms cpu monitor.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\l.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Shell OneDrive Extensions.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Update3.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SoftwareDistribution\grim.ime	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\ApplicationNetwork.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\System Network Extensions.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\DIDDUID.INI	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\FIRST.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\logo_home.gif	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\HH.HTT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Command cache application.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Ms speed internet library.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Network.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\AmiUpdXp.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Update.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\DEFAULT.CSS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\HK506.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Update2.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SoftwareDistribution\mstoble.cop	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\pass.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\csrss.exe.tmp	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\WinInform.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Debug\config.json	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\nirc.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Net libraries.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Windows OneDrive Shell Extensions.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\[TheMoonlight].txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\MASS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\icon_security_scan.gif	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Betvingelsernes7.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\WindowsUpdate2.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\X2014	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D4027C7F-154A-4066-A1AD-4243D8127440}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{EA0D26BD-9029-431A-86E0-83152D67828A}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{806E1CA8-2B65-45B5-B1D4-C42EF388E119}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D9CF9E72-1E65-4EC1-B57A-19BE12030BF5}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{F4982BAB-80E9-4838-A2A0-95D30F348161}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C4E6D22-B71F-491F-AAD3-B6972A650D50}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{51BC73EC-110E-479D-B62B-1234F2AC396D}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CE572474-335E-4CE4-9895-04D3009C29CB}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{634BBAB7-3F60-4426-944F-A62B9007F67F}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1557B435-8242-4686-9AA3-9265BF7525A4}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8BF5B8FC-11CB-409F-8C91-4D4CA04A1B6D}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2A07F060-8544-B6A7-8268-07D83CC87784}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{86CBF051-1EDE-48E0-BFB8-5CF7770572D3}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E8249E69-A809-4544-832F-64EB65747A92}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{BCBEB0EB-744A-4F05-99A5-636B721C318E}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2D38A51A-23C9-48A1-A33C-48675AA2B494}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6E785A53-AC5A-4F6A-A6E4-1B51FA4A0A09}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{724510C3-F3C8-4FB7-879A-D99F29008A2F}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{F3727275-224F-4AB0-8642-7D461EFB82D8}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{3CA60057-9277-49C0-8D64-280DBAD9C3E1}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{4E007A5F-299F-44FC-8B6B-F06B61867A2E}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{42B74391-8C40-4AAF-B99F-2D70D70448F8}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{56F1D444-11BF-4879-A12B-79CF0177F038}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{001F2570-5DF5-11D3-B991-00A0C9BB0874}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1E1B2879-88FF-11D2-8D96-D7ACAC95951F}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C16FBF77-0C66-476E-8C78-15BE5AE14306}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{64E81C6A-05DD-3B44-125D-3269273A6FB5}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CC8C8F4F-F2E8-404B-A43D-5CC57876A008}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2004652A-4CCE-4EA5-A49E-FEEBF2A2BA8B}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8A61098D-612B-4EF2-943D-64E920684061}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1C1B8A44-61FE-411E-8F33-813A4E2E2984}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6E94CEC3-0C84-4310-AE20-CD4090178388}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{3AA6678D-1CE0-499E-B9F6-8444DEE39D88}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{54F33362-1828-4181-9CC7-4BC727C38B78}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD714BC-D36C-487B-8142-8BA020FB6535}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8A5E6109-376F-46A7-AE78-714BF8F611DC}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A5B99E41-E157-4209-8AAC-DB003A816079}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{88C51E90-8E9C-4C96-8A45-574D88B63FAF}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{46ECDBEA-47BA-4A9F-B3FB-14825C3207B0}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{91647B9D-6B67-4027-8492-D456920DA8D6}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E1D20694-74D9-472D-AF03-08C26173A67F}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{427B37EF-B6C5-4823-A97C-10B88977E398}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{BCC73622-F72D-4277-803C-D65565A0947F}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{10F0C2A9-8E38-43e3-204D-45524C494E20}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{018959BD-74C9-4CB4-BDA0-7C6A8CA235D0}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4D1C4E8B-A32A-416B-BCDB-33B3EF3617D3}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A710731F-9C7A-45AD-9B33-709A82A5C8A1}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F443A627-5009-4323-9C1D-7FD598D0D712}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{3E9B951E-6F72-431B-82CF-4A9FBF2F53BC}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E0EC6FBA-F009-3535-95D6-B6390DB27DA1}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{F4002052-AB29-4B33-8C8D-0E99084564EC}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-59D4-4008-9058-080011001200}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C25FA7CE-23EA-4271-A66D-06C4D5C22F78}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{EFB46ED3-8FD8-4051-8FD6-DD9CE7E63BEF}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{9D0D1FD2-D1A2-40E7-94F3-A9DB5E7672EA}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BF068D0-B735-11D3-B2CF-00500489D6A3}\TypeLib	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc\Content Type = "text/x-component"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "JSFile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "Regedit.exe \"%1\""	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54F37842-CDD7-11D3-B2D4-00500489D6A3}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54F37842-CDD7-11D3-B2D4-00500489D6A3}\TypeLib	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "Notepad.exe \"%1\""	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "htafile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "Notepad.exe \"%1\""	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\Content Type = "application/hta"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jsfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbefile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BF068D0-B735-11D3-B2CF-00500489D6A3}\ProxyStubClsid	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "%SystemRoot%\\system32\\mmc.exe \"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BF068D0-B735-11D3-B2CF-00500489D6A3}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile\ShellNew	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54F37842-CDD7-11D3-B2D4-00500489D6A3}\ProxyStubClsid	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\PersistentHandler	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BF068D0-B735-11D3-B2CF-00500489D6A3}\ProxyStubClsid32	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbsfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54F37842-CDD7-11D3-B2D4-00500489D6A3}\ProxyStubClsid32	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "regfile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"%1\" /S"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "Notepad.exe \"%1\""	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Token: SeRestorePrivilege	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Token: SeShutdownPrivilege	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 644	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	64
PID 1904 wrote to memory of 644	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	64
PID 1904 wrote to memory of 644	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	64
PID 1904 wrote to memory of 644	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	64
PID 1904 wrote to memory of 1724	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	65
PID 1904 wrote to memory of 1724	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	65
PID 1904 wrote to memory of 1724	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	65
PID 1904 wrote to memory of 1724	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	65
PID 1904 wrote to memory of 1604	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	32
PID 1904 wrote to memory of 1604	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	32
PID 1904 wrote to memory of 1604	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	32
PID 1904 wrote to memory of 1604	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	32
PID 1904 wrote to memory of 1676	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	68
PID 1904 wrote to memory of 1676	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	68
PID 1904 wrote to memory of 1676	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	68
PID 1904 wrote to memory of 1676	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	68
PID 1904 wrote to memory of 1008	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	70
PID 1904 wrote to memory of 1008	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	70
PID 1904 wrote to memory of 1008	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	70
PID 1904 wrote to memory of 1008	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	70
PID 1904 wrote to memory of 1124	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	38
PID 1904 wrote to memory of 1124	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	38
PID 1904 wrote to memory of 1124	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	38
PID 1904 wrote to memory of 1124	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	38
PID 1904 wrote to memory of 1536	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	40
PID 1904 wrote to memory of 1536	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	40
PID 1904 wrote to memory of 1536	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	40
PID 1904 wrote to memory of 1536	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	40
PID 1904 wrote to memory of 1196	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	41
PID 1904 wrote to memory of 1196	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	41
PID 1904 wrote to memory of 1196	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	41
PID 1904 wrote to memory of 1196	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	41
PID 1904 wrote to memory of 964	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	43
PID 1904 wrote to memory of 964	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	43
PID 1904 wrote to memory of 964	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	43
PID 1904 wrote to memory of 964	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	43
PID 1904 wrote to memory of 320	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	45
PID 1904 wrote to memory of 320	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	45
PID 1904 wrote to memory of 320	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	45
PID 1904 wrote to memory of 320	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	45
PID 1904 wrote to memory of 1836	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	47
PID 1904 wrote to memory of 1836	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	47
PID 1904 wrote to memory of 1836	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	47
PID 1904 wrote to memory of 1836	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	47
PID 1904 wrote to memory of 1868	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	49
PID 1904 wrote to memory of 1868	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	49
PID 1904 wrote to memory of 1868	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	49
PID 1904 wrote to memory of 1868	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	49
PID 1904 wrote to memory of 652	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	51
PID 1904 wrote to memory of 652	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	51
PID 1904 wrote to memory of 652	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	51
PID 1904 wrote to memory of 652	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	51
PID 1904 wrote to memory of 1100	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	54
PID 1904 wrote to memory of 1100	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	54
PID 1904 wrote to memory of 1100	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	54
PID 1904 wrote to memory of 1100	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	54
PID 1904 wrote to memory of 1600	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	55
PID 1904 wrote to memory of 1600	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	55
PID 1904 wrote to memory of 1600	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	55
PID 1904 wrote to memory of 1600	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	55
PID 1904 wrote to memory of 1768	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	56
PID 1904 wrote to memory of 1768	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	56
PID 1904 wrote to memory of 1768	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	56
PID 1904 wrote to memory of 1768	1904	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	56

C:\Users\Admin\AppData\Local\Temp\adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
"C:\Users\Admin\AppData\Local\Temp\adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe"
1⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\*.*" /a /q"
  2⤵
  PID:644
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}""
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\*.*" /a /q"
  2⤵
  PID:1008
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}""
  2⤵
  PID:1124
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\*.*" /a /q"
  2⤵
  PID:1536
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}""
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}\*.*" /a /q"
  2⤵
  PID:964
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}""
  2⤵
  PID:320
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}\*.*" /a /q"
  2⤵
  PID:1836
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}""
  2⤵
  PID:1868
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
  2⤵
  PID:652
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
  2⤵
  PID:1100
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\*.*" /a /q"
  2⤵
  PID:1600
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}""
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  cmd /c "del \\.\C:\con.sys\*.* /a /q"
  2⤵
  PID:1472
- C:\Windows\system32\cmd.exe
  cmd /c "rd \\.\C:\con.sys"
  2⤵
  PID:912
- C:\Windows\system32\cmd.exe
  cmd /c "del \\.\C:\con.ini\*.* /a /q"
  2⤵
  PID:296
- C:\Windows\system32\cmd.exe
  cmd /c "rd \\.\C:\con.ini"
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  cmd /c "del \\.\C:\con.usb\*.* /a /q"
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  cmd /c "rd \\.\C:\con.usb"
  2⤵
  PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1590139865-1798428421185490029-9445807141037889684-1790281473-3176258751955698587"
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download