dmalocker | adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1

Analysis

max time kernel
22s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
19-06-2021 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Size

1.4MB
MD5

4fa5fd0b35ba44e25b87747c1ba710f6
SHA1

dcbcb67d4723312f274627a2a22861f759d032a1
SHA256

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1
SHA512

d0f87394722e6f842e74a117f77e4cb579418bec18ece2efbd6feb4bee6facb0bb69d2153fb6c70b4584b389eee77f15c0f561f21b26e08c421fe727b56b7d13

Score

10^/10

dmalocker hawkeye locky locky_osiris wannacry discovery keylogger persistence ransomware spyware stealer trojan worm

Malware Config

Signatures

DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
ransomware dmalocker
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Drops file in Drivers directory 19 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\ver2.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\ver2.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\Inf\SOCFG.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\AUTORUN.BAK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\str.sys	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\DETPORT.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\RVDPORT.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\ver.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\DETPORT.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\ISPUPDRV.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\config.json	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\Inf\SOCFG.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\AUTORUN.BAK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\ISPUPDRV.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\RVDPORT.SYS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\config.json	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\str.sys	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\ver.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\etc\Hosts	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 64 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gtud.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodga.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dgrltvzvvgjpxaz.eu.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogin.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gmst.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dmtdy.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMEPADSV.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.eu.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otgwsf.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uogfre.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.vbe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{39B6FD42-8SKE-838D-9875-3YTA2897936Q}.bmp	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ctfmon.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iutmn.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outlookupdatings.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rnYVKJVOCd.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaKZR9x9.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxZbEWSnqt.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tub.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asspp.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mighr.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TKRULI.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stst.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tHwMAS.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\srvknhyssouajgg.eu.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gBWXXQuzYx.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.exe.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbftyuj.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hdry.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksea.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jkzoKD.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PIPLXE.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SANTA.BAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RAVBg64.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceProperties.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbnme.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fyfluyf.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iihge.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\superoptimizersetup.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ame.vbe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ofiyh.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ulZYCdTsml.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows update.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!#_READ_ME_#!.hta	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LYCOS SIDESEARCH.LNK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemComponentModelINotifyPropertyChangingV.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeDevTools.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svs.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RGZLTE.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SCANDISK.LNK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jghcve.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BuqcdD1n.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrss.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gpupdate.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtlUpd64.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xteris.vbe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHost.exe.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TEKNO.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgcro.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.url	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_DECRYPT DATA INSTRUCTIONS.jpg	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Prueba = "Ok"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Update\Windows Tittle	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\VMWare Central Connector	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\___u	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\UL.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\REQ.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\iCloud Free Disk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\MSUPDATE.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Ms visual extension	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\msbb.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\154.BAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\VERSION.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\VERSION.INI	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\SFKLG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\WinNetworkTask	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\DMLCONF.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\AUTORUN.INF	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\VMWare Central Connector	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Windows Defender host	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Ms nocsys tools	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\MsSocketVision	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\MyCloud Disk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\___m	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\msbbau.dat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\DLL1.tmp	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\binarysoundx.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\HEURICCOMMAND.BAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\CRCSPIDER.ICO	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\MYUSERNAME11.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\MYUSERNAME11.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Winsys.bat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WINVIEW.OCX	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\SPEC.FNE	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\WinHostStart	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Ms cpu monitor	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\DP1.FNE	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\SPEC.FNE	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Ms cpu monitor	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\VUYOSIVA	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\tty.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\c.ico	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\FreeMonoLibrary	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\MsNetMonitor	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\LECHUCK.HTA	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\SystemIDE	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Windows directory manager	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\MSShell32	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\SYSTEMS11.ICO	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\SFKLG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\WPA Service	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\WinHostStart	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\AVG32XL.KDX	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\drbux.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Ms visual extension	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Msmmvs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\INTERNET.FNE	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WEB.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\NetworkTask	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Msnetcs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\NetSys	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\unregmp2	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\DPI Service Task	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\WindowsUpdater	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\WinWOW64Services	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\DefragWinSysTask	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Drops file in Program Files directory 23 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
File opened for modification	C:\Program Files\Messenger Plus! Live\Scripts\hola\hola.js	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Internet Explorer\JS.MUI	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Outlook Express\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\NetMeeting\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Internet Explorer\ONLO0R.OBK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\X.BMP	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Lycos\Sidesearch\OFFLINE.HTM	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\searchplugins\fcmdSrch.xml	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\JustClicking\home.bat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\WebRebates4\Websrebates\Webtrebates\toprC0.htm	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Internet Explorer\DMLCONF.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Assembly\System.exe.config	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Adobe\pdf.exe.config	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Adobe\pdf.exex	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\VERSION.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Internet Explorer\ACPI.VXD	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\installESP.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Adobe\pdf.ex_	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Messenger\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Common Files\Systems\PINKS.DLL	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Movie Maker\KLOG.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Drops file in Windows directory 64 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
File opened for modification	C:\WINDOWS\pass.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\O.REG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\SynapticUpdater.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SoftwareDistribution\grim.ime	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\DEFAULT.CSS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\CTFMON.CFG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\MsNetValidator.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Lycos - make LOVE not SPAM.dat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\WEB\OSLOGO.BMP	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Media\UPSET1.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\HH.HTT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\WinInform.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\[TheMoonlight].txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SSTYLE.CSS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\MiscfostNsi.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\W	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\WIASERVB.LOG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\WindowsUpdate1.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\OCULS.LOG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Msntcs.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\home_bg3.jpg	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\WindowsUpdate2.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\4.REG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\MSTECF.DAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Win Direct Tools.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\windowsXP_masthead_ltr.gif	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Ms new library.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\logo_home.gif	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Milieukravene.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Crmans.dat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\MsNetMonitor.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Shell File Extensions.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Debug\Result.dark	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SRCH.REG	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Branding\ShellBrd\Core1\sasdt1.bak	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Shell OneDrive Extensions.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\LOGCPU.BAT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\l.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\SYSMORTEM.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\System32FarrEl.dat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\System Health Application.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Task Health Application.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\BM9b5ae91d.xml	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\salmau.dat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\MASS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Resources\Themes\icsys.icn	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\ApplicationNetwork.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\CLB.DLLBAK	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\MEMTEST.TXT	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\DealPlyLiveUpdateTaskMachineCore.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Help\idsmtpView.txt	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Media\libstdc++-6.dll	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\msbb.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\ChromeDataStorage.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Mono Library.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Sysnetsf.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\WinDotNet.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Network.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Miscfost.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\180ax.log	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Betvingelsernes7.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
File opened for modification	C:\WINDOWS\Tasks\Msmmvs.job	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F577A1BA-D82D-4BB2-8430-B767285D081D}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{014DA6C2-189F-421A-88CD-07CFE51CFF10}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{018959BD-74C9-4CB4-BDA0-7C6A8CA235D0}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{54F33362-1828-4181-9CC7-4BC727C38B78}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5ED7D3DE-6DBE-4516-8712-01B1B64B7057}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EAB15366-0E81-476D-83CC-1052FDF017C8}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{78BCF937-45B0-40A7-9391-DCC03420DB35}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{08BED96E-5A7D-42E7-9049-D2FB4978BEBC}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{58D47FFF-63EF-572E-843F-E5DD6AA0005D}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{7BF3A7DB-A516-4E24-B40A-F60B34699E26}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A3879746-8343-47DF-AFDC-297F62230546}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E0CE16CB-741C-4B24-8D04-A817856E07F4}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{32341E7E-C319-46DE-91D0-E30BB1A3CABA}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{87859DA0-ABE6-45D5-A03B-7B7A280CD8A4}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{32D82963-445F-47FC-BAD8-3CADED3A6A3F}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5F185477-1B56-41D3-8CDC-F25E4514E26E}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03974811-C15F-462c-B6B0-2D2336AA57D0}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{9CB12DAD-32C7-4F34-9758-C9FDD26D4D22}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{DBD7AAA2-1725-4663-8C8B-52A840693469}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{010FF400-8DFB-439D-987B-DCDE5195F4D8}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{53CED2D0-5E9A-4761-9005-648404E6F7E5}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADA4AB54-F034-41A4-9A68-95DF06976B68}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E25EE903-37EB-467B-B1F0-F71063F6B8C8}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2724E072-19D0-486D-A819-9D914191AE92}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{07C7156E-D651-4ACC-9AD3-498C916E9651}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7CE67716-5803-4FB7-B344-0C7A17F93B5D}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{196B9CB5-4C83-46F7-9B06-9672ECD9D99B}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{91C18ED5-5E1C-4AE5-A148-A861DE8C8E16}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{A0B4FFEA-D466-49A8-9BB0-B7BBD2FCB449}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E92EACB2-541D-4E78-93C4-87703299D78B}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{F48FC5B2-094A-44C7-B48C-289738C9582D}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6148028B-D532-4417-8C0B-5A4A0B745393}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F4FF6D5-E71D-4B1A-AD0B-A660C1FD1837}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2E65A557-173C-4DE9-860B-28FC5CACA542}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{86A44EF7-78FC-4E18-A564-B18F806F7F56}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD344AF4-67AB-4E19-A630-7435587D320B}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FE6C16C4-16AD-47B6-B250-26AD1829E49A}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{10049D2A-2965-4E4F-8C7E-CB33AD95FEB7}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{184B0A26-4C9C-4757-ABF5-4B6AF71F9A45}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3ECF916F-A5DE-4dd4-A142-B35A29DC2EDB}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{893FAD3A-931E-4E53-B515-B1426D63799B}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C41A1C0E-EA6C-11D4-B1B8-444553540007}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{184746EC-9E9D-4C7D-B9E7-9039EBD801A9}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{3794345D-C731-4FBB-8471-73DDC8DFFDD2}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8271B5D6-76D3-4ABF-AEB3-1721161C76BC}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E7AFFF2A-1B57-49C7-BF6B-E5123394C970}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2935C200-7E7D-4257-B9D4-EE75BAA206C9}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C14E6230-757D-4246-81CE-B34E2940C722}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C5FCE753-7E3E-414C-815E-86AF82D8817A}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{FCBABDA2-801E-4F51-B6E8-0122032FB16B}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2A07F060-8544-B6A7-8268-07D83CC87784}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{56D6D435-4339-48AA-9617-A9B14BCFCD29}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9B904910-78A4-489D-A825-5111B883A5B2}\Compatibility Flags = "1024"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Modifies registry class 53 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "Notepad.exe \"%1\""	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "regfile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc\Content Type = "text/x-component"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"%1\" /S"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "%SystemRoot%\\system32\\mmc.exe \"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "Regedit.exe \"%1\""	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbefile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "htafile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "Notepad.exe \"%1\""	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jsfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "JSFile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "Notepad.exe \"%1\""	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbsfile\shell\open\command	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\PersistentHandler	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\Content Type = "application/hta"	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

pid	process
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	pid	process
Token: SeDebugPrivilege	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Token: SeRestorePrivilege	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
Token: SeShutdownPrivilege	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

pid	process
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

description	pid	process	target process
PID 636 wrote to memory of 2416	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 2416	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 2208	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 2208	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3788	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3788	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3612	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3612	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3148	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3148	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3264	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3264	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 1156	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 1156	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3240	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3240	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 672	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 672	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 2608	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 2608	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 580	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 580	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 1736	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 1736	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3952	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3952	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 1164	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 1164	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 184	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 184	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3172	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3172	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3084	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 3084	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 732	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 732	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 1276	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 1276	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 4140	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 4140	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 4184	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 4184	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 4216	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe
PID 636 wrote to memory of 4216	636	adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
"C:\Users\Admin\AppData\Local\Temp\adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe"
1⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\*.*" /a /q"
2⤵
PID:2416

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}""
2⤵
PID:2208

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
2⤵
PID:3788

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
2⤵
PID:3612

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}""
2⤵
PID:3264

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\*.*" /a /q"
2⤵
PID:1156

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}""
2⤵
PID:3240

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}\*.*" /a /q"
2⤵
PID:672

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\*.*" /a /q"
2⤵
PID:3148

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}""
2⤵
PID:1736

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
2⤵
PID:3952

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\*.*" /a /q"
2⤵
PID:184

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}""
2⤵
PID:3172

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del \\.\C:\con.sys\*.* /a /q"
2⤵
PID:3084

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del \\.\C:\con.ini\*.* /a /q"
2⤵
PID:1276

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd \\.\C:\con.ini"
2⤵
PID:4140

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del \\.\C:\con.usb\*.* /a /q"
2⤵
PID:4184

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd \\.\C:\con.sys"
2⤵
PID:732

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd \\.\C:\con.usb"
2⤵
PID:4216

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
2⤵
PID:1164

C:\Windows\SYSTEM32\cmd.exe
cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}\*.*" /a /q"
2⤵
PID:580

C:\Windows\SYSTEM32\cmd.exe
cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}""
2⤵
PID:2608

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-128-0x0000000000000000-mapping.dmp

Download
memory/580-124-0x0000000000000000-mapping.dmp

Download
memory/672-122-0x0000000000000000-mapping.dmp

Download
memory/732-131-0x0000000000000000-mapping.dmp

Download
memory/1156-120-0x0000000000000000-mapping.dmp

Download
memory/1164-127-0x0000000000000000-mapping.dmp

Download
memory/1276-132-0x0000000000000000-mapping.dmp

Download
memory/1736-125-0x0000000000000000-mapping.dmp

Download
memory/2208-115-0x0000000000000000-mapping.dmp

Download
memory/2416-114-0x0000000000000000-mapping.dmp

Download
memory/2608-123-0x0000000000000000-mapping.dmp

Download
memory/3084-130-0x0000000000000000-mapping.dmp

Download
memory/3148-118-0x0000000000000000-mapping.dmp

Download
memory/3172-129-0x0000000000000000-mapping.dmp

Download
memory/3240-121-0x0000000000000000-mapping.dmp

Download
memory/3264-119-0x0000000000000000-mapping.dmp

Download
memory/3612-117-0x0000000000000000-mapping.dmp

Download
memory/3788-116-0x0000000000000000-mapping.dmp

Download
memory/3952-126-0x0000000000000000-mapping.dmp

Download
memory/4140-133-0x0000000000000000-mapping.dmp

Download
memory/4184-134-0x0000000000000000-mapping.dmp

Download
memory/4216-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads