zloader | c3a74bd00279c7a9eb6827badb8360e23fd9f290740edfc4cc24848b617f0203

Analysis

max time kernel
600s
max time network
430s
platform
windows10_x64
resource
win10-ja-20210920
submitted
04-10-2021 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

phiasko.bat
Size

58B
MD5

be4bfd95cabbf2a7b68530e629645282
SHA1

e394c4eea18ee4016c1b43111760fe041f0ab14f
SHA256

ab443b30acfb9fe983f631a79d4c6fc481208b98cef934cfc91e6f83bba1c52d
SHA512

c6e7316671e5cd053adca5cd779a90149ed375321e2cab7d63657f308c41a8cbda42c8009da08cea519da72df34400813d5c1a0bd3f923510b632adc09793dcc

Score

10^/10

zloader 123 123 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

123

Campaign

123

http://gipc.in/post.php

http://fbhindia.com/post.php

http://ecolenefiber.com/post.php

http://design.ecolenefiber.com/post.php

http://beta.marlics.ir/post.php

http://hari.pk/post.php

http://iaiskjmalang.ac.id/post.php

http://314xd.com/post.php

http://ejournal.iaiskjmalang.ac.id/post.php

http://duanvn.com/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2232 created 2360 2232 WerFault.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 2232 created 2360	2232	WerFault.exe	Explorer.EXE

Blocklisted process makes network request 23 IoCs

Processes:

msiexec.exe

flow	pid	process
37	4500	msiexec.exe
39	4500	msiexec.exe
40	4500	msiexec.exe
41	4500	msiexec.exe
42	4500	msiexec.exe
43	4500	msiexec.exe
44	4500	msiexec.exe
46	4500	msiexec.exe
48	4500	msiexec.exe
50	4500	msiexec.exe
52	4500	msiexec.exe
54	4500	msiexec.exe
56	4500	msiexec.exe
58	4500	msiexec.exe
59	4500	msiexec.exe
61	4500	msiexec.exe
63	4500	msiexec.exe
65	4500	msiexec.exe
67	4500	msiexec.exe
68	4500	msiexec.exe
69	4500	msiexec.exe
70	4500	msiexec.exe
79	4500	msiexec.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3108 set thread context of 4500 3108 rundll32.exe msiexec.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

description	pid	process	target process
PID 3108 set thread context of 4500	3108	rundll32.exe	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

ShellExperienceHost.exeexplorer.exeSearchUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3002025025\1751262768.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	explorer.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	explorer.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\860799236\4237324420.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	ShellExperienceHost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2232 2360 WerFault.exe Explorer.EXE

pid	pid_target	process	target process
2232	2360	WerFault.exe	Explorer.EXE

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

5116 net.exe
4228 net.exe

pid	process
5116	net.exe
4228	net.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

5024 ipconfig.exe

pid	process
5024	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

FileSyncConfig.exeexplorer.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008c100000000000002000000e5070a004100720067006a006200650078002000200033000a00a430f330bf30fc30cd30c330c8302000a230af30bb30b93000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000005ab9a63c6cb9d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000a7bd683c6cb9d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000218621db20aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132766168982456120"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeWerFault.exeexplorer.exe

pid	process
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
3420	explorer.exe
3420	explorer.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe
4500	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3420 explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exeWerFault.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3108	rundll32.exe
Token: SeCreatePagefilePrivilege	3108	rundll32.exe
Token: SeShutdownPrivilege	3108	rundll32.exe
Token: SeCreatePagefilePrivilege	3108	rundll32.exe
Token: SeShutdownPrivilege	3108	rundll32.exe
Token: SeCreatePagefilePrivilege	3108	rundll32.exe
Token: SeShutdownPrivilege	3108	rundll32.exe
Token: SeCreatePagefilePrivilege	3108	rundll32.exe
Token: SeShutdownPrivilege	3108	rundll32.exe
Token: SeCreatePagefilePrivilege	3108	rundll32.exe
Token: SeShutdownPrivilege	3108	rundll32.exe
Token: SeCreatePagefilePrivilege	3108	rundll32.exe
Token: SeDebugPrivilege	2232	WerFault.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe
Token: SeCreatePagefilePrivilege	3420	explorer.exe
Token: SeShutdownPrivilege	3420	explorer.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

explorer.exe

pid	process
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

explorer.exe

pid	process
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe
3420	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ShellExperienceHost.exeSearchUI.exe

pid process

4736 ShellExperienceHost.exe
1608 SearchUI.exe
4736 ShellExperienceHost.exe
4736 ShellExperienceHost.exe

pid	process
4736	ShellExperienceHost.exe
1608	SearchUI.exe
4736	ShellExperienceHost.exe
4736	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

cmd.exerundll32.exerundll32.exemsiexec.exenet.exeexplorer.exe

description	pid	process	target process
PID 3252 wrote to memory of 3848	3252	cmd.exe	rundll32.exe
PID 3252 wrote to memory of 3848	3252	cmd.exe	rundll32.exe
PID 3848 wrote to memory of 3108	3848	rundll32.exe	rundll32.exe
PID 3848 wrote to memory of 3108	3848	rundll32.exe	rundll32.exe
PID 3848 wrote to memory of 3108	3848	rundll32.exe	rundll32.exe
PID 3108 wrote to memory of 4500	3108	rundll32.exe	msiexec.exe
PID 3108 wrote to memory of 4500	3108	rundll32.exe	msiexec.exe
PID 3108 wrote to memory of 4500	3108	rundll32.exe	msiexec.exe
PID 3108 wrote to memory of 4500	3108	rundll32.exe	msiexec.exe
PID 3108 wrote to memory of 4500	3108	rundll32.exe	msiexec.exe
PID 4500 wrote to memory of 5024	4500	msiexec.exe	ipconfig.exe
PID 4500 wrote to memory of 5024	4500	msiexec.exe	ipconfig.exe
PID 4500 wrote to memory of 5024	4500	msiexec.exe	ipconfig.exe
PID 4500 wrote to memory of 4988	4500	msiexec.exe	net.exe
PID 4500 wrote to memory of 4988	4500	msiexec.exe	net.exe
PID 4500 wrote to memory of 4988	4500	msiexec.exe	net.exe
PID 4988 wrote to memory of 3900	4988	net.exe	net1.exe
PID 4988 wrote to memory of 3900	4988	net.exe	net1.exe
PID 4988 wrote to memory of 3900	4988	net.exe	net1.exe
PID 4500 wrote to memory of 5116	4500	msiexec.exe	net.exe
PID 4500 wrote to memory of 5116	4500	msiexec.exe	net.exe
PID 4500 wrote to memory of 5116	4500	msiexec.exe	net.exe
PID 4500 wrote to memory of 4228	4500	msiexec.exe	net.exe
PID 4500 wrote to memory of 4228	4500	msiexec.exe	net.exe
PID 4500 wrote to memory of 4228	4500	msiexec.exe	net.exe
PID 4500 wrote to memory of 716	4500	msiexec.exe	nltest.exe
PID 4500 wrote to memory of 716	4500	msiexec.exe	nltest.exe
PID 4500 wrote to memory of 2896	4500	msiexec.exe	nltest.exe
PID 4500 wrote to memory of 2896	4500	msiexec.exe	nltest.exe
PID 4500 wrote to memory of 2360	4500	msiexec.exe	Explorer.EXE
PID 4500 wrote to memory of 2360	4500	msiexec.exe	Explorer.EXE
PID 4500 wrote to memory of 2360	4500	msiexec.exe	Explorer.EXE
PID 3420 wrote to memory of 4276	3420	explorer.exe	cmd.exe
PID 3420 wrote to memory of 4276	3420	explorer.exe	cmd.exe
PID 3420 wrote to memory of 2208	3420	explorer.exe	cmd.exe
PID 3420 wrote to memory of 2208	3420	explorer.exe	cmd.exe
PID 4500 wrote to memory of 3420	4500	msiexec.exe	explorer.exe
PID 4500 wrote to memory of 3420	4500	msiexec.exe	explorer.exe
PID 4500 wrote to memory of 3420	4500	msiexec.exe	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\phiasko.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\z.dll,asd
3⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\z.dll,asd
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
6⤵
- Gathers network information
PID:5024

C:\Windows\SysWOW64\net.exe
net config workstation
6⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 config workstation
7⤵
PID:3900

C:\Windows\SysWOW64\net.exe
net view /all
6⤵
- Discovers systems in the same network
PID:5116

C:\Windows\SysWOW64\net.exe
net view /all /domain
6⤵
- Discovers systems in the same network
PID:4228

C:\Windows\SYSTEM32\nltest.exe
nltest /domain_trusts
6⤵
PID:716

C:\Windows\SYSTEM32\nltest.exe
nltest /domain_trusts /all_trusts
6⤵
PID:2896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2360 -s 3232
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:3604

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c del /q "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"
2⤵
PID:4276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c del /q "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"
2⤵
PID:2208

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\System32\IME\SHARED\imebroker.exe
C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
1⤵
PID:4348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ghjg\pvsu
MD5
df514f2d9728a01bb6bd4d468a626857

SHA1
f42836fc99f33ced20fc0b8ba45d49e9bb0390e7

SHA256
cd28eae772073c69a7f532dbc9e8aaa1004ebb9fcfdbce0e9910592b1fac70b6

SHA512
6c708a277fc3d6f9d36a482505e81d5e0fcd9fe939a3f04a9771fc4ca95243afa4826a7bfa9ae2ff4ac4c3592b2125e29a418d9ac4eb7f0b20c6f61ddf3e92ab

Download Submit
memory/716-131-0x0000000000000000-mapping.dmp

Download
memory/2208-136-0x0000000000000000-mapping.dmp

Download
memory/2360-133-0x0000000001080000-0x00000000010B6000-memory.dmp

Filesize
216KB

Download
memory/2896-132-0x0000000000000000-mapping.dmp

Download
memory/3108-116-0x0000000000000000-mapping.dmp

Download
memory/3108-117-0x0000000072D90000-0x0000000072DBA000-memory.dmp

Filesize
168KB

Download
memory/3108-118-0x0000000072D90000-0x00000000737C6000-memory.dmp

Filesize
10.2MB

Download
memory/3108-119-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/3420-137-0x00000000047C0000-0x00000000047F6000-memory.dmp

Filesize
216KB

Download
memory/3420-134-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3848-115-0x0000000000000000-mapping.dmp

Download
memory/3900-127-0x0000000000000000-mapping.dmp

Download
memory/4228-130-0x0000000000000000-mapping.dmp

Download
memory/4276-135-0x0000000000000000-mapping.dmp

Download
memory/4500-129-0x00000000010F0000-0x00000000010F3000-memory.dmp

Filesize
12KB

Download
memory/4500-124-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/4500-123-0x0000000000410000-0x000000000043A000-memory.dmp

Filesize
168KB

Download
memory/4500-120-0x0000000000000000-mapping.dmp

Download
memory/4988-126-0x0000000000000000-mapping.dmp

Download
memory/5024-125-0x0000000000000000-mapping.dmp

Download
memory/5116-128-0x0000000000000000-mapping.dmp

Download