Analysis
-
max time kernel
355s -
max time network
352s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 11:41
Static task
static1
Behavioral task
behavioral1
Sample
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe
-
Size
52KB
-
MD5
28945b625617cfdcc444b428de0a7a00
-
SHA1
9cab670cd0d11e901cdb3f197aa18f1a6e2930ba
-
SHA256
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
-
SHA512
eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
aluR8m.exe1LLDO:exekosJKJL:exepid process 416 aluR8m.exe 1112 1LLDO:exe 4036 kosJKJL:exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1LLDO:exedescription ioc process File created C:\Users\Admin\Pictures\SkipSplit.tiff.locked 1LLDO:exe File created C:\Users\Admin\Pictures\CheckpointPush.crw.locked 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\PublishApprove.tiff 1LLDO:exe File created C:\Users\Admin\Pictures\PublishApprove.tiff.readme_txt 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\SkipDismount.crw.readme_txt 1LLDO:exe File created C:\Users\Admin\Pictures\SkipDismount.crw.readme_txt 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\SkipSplit.tiff.readme_txt 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\PublishApprove.tiff.locked 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\PublishApprove.tiff.readme_txt 1LLDO:exe File created C:\Users\Admin\Pictures\CheckpointPush.crw.readme_txt 1LLDO:exe File created C:\Users\Admin\Pictures\SkipDismount.crw.locked 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\CheckpointPush.crw.locked 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\CheckpointPush.crw.readme_txt 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\SkipSplit.tiff 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\SkipSplit.tiff.locked 1LLDO:exe File created C:\Users\Admin\Pictures\SkipSplit.tiff.readme_txt 1LLDO:exe File created C:\Users\Admin\Pictures\PublishApprove.tiff.locked 1LLDO:exe File opened for modification C:\Users\Admin\Pictures\SkipDismount.crw.locked 1LLDO:exe -
Deletes itself 1 IoCs
Processes:
kosJKJL:exepid process 4036 kosJKJL:exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\BySHmML5E = "C:\\Users\\Admin\\AppData\\Local\\Hxxe4J\\LTFakY.exe" 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
1LLDO:exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 1LLDO:exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 1LLDO:exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1LLDO:exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGCORE.DLL.locked 1LLDO:exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.readme_txt 1LLDO:exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe.locked 1LLDO:exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.readme_txt 1LLDO:exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.locked 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSI.TTF.locked 1LLDO:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg.readme_txt 1LLDO:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.dll.locked 1LLDO:exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.locked 1LLDO:exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.readme_txt 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF.locked 1LLDO:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe.readme_txt 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js.locked 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js.locked 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-white.png 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations_retina.png.locked 1LLDO:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-loaders.xml 1LLDO:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\msointl30.dll.readme_txt 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\ui-strings.js 1LLDO:exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\PSGet.Resource.psd1 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 1LLDO:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.readme_txt 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.ELM.locked 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelServices.dll.locked 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\ui-strings.js 1LLDO:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js.locked 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\share.svg 1LLDO:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\ui-strings.js.readme_txt 1LLDO:exe File created C:\Program Files\Java\jre1.8.0_66\lib\security\java.security.locked 1LLDO:exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.locked 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.locked 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL.readme_txt 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\es-ES.PhoneNumber.SMS.model 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100.png 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\excelmui.msi.16.en-us.vreg.dat.locked 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Spiral.png 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30.png 1LLDO:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.locked 1LLDO:exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak 1LLDO:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.readme_txt 1LLDO:exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.locked 1LLDO:exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll.locked 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\ui-strings.js.locked 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png.readme_txt 1LLDO:exe File opened for modification C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui 1LLDO:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js.readme_txt 1LLDO:exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui 1LLDO:exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.readme_txt 1LLDO:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll 1LLDO:exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll.locked 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30.png 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png 1LLDO:exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif.locked 1LLDO:exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui 1LLDO:exe File created C:\Program Files\Microsoft Office\root\Office16\Resources.pri.readme_txt 1LLDO:exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2875_24x24x32.png 1LLDO:exe -
Drops file in Windows directory 11 IoCs
Processes:
ShellExperienceHost.exeexplorer.exeSearchUI.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\860799236\4237324420.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4272278488\927794230.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri explorer.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri ShellExperienceHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3460 392 WerFault.exe 3720 392 WerFault.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Modifies registry class 31 IoCs
Processes:
SearchUI.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132766168982456120" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070a004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000c52a343ea8c5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000003f3db3da8c5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000218621db20aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe -
NTFS ADS 2 IoCs
Processes:
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exealuR8m.exedescription ioc process File created C:\Users\Admin\AppData\Local\kosJKJL:exe 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe File created C:\Users\Admin\AppData\Local\1LLDO:exe aluR8m.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
WerFault.exeWerFault.exepid process 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3460 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe 3720 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1640 explorer.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
WerFault.exeWerFault.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3460 WerFault.exe Token: SeDebugPrivilege 3720 WerFault.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe Token: SeShutdownPrivilege 1640 explorer.exe Token: SeCreatePagefilePrivilege 1640 explorer.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
explorer.exepid process 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe -
Suspicious use of SendNotifyMessage 29 IoCs
Processes:
explorer.exepid process 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe 1640 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
ShellExperienceHost.exeSearchUI.exepid process 3620 ShellExperienceHost.exe 3520 SearchUI.exe 3620 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.execmd.exealuR8m.exekosJKJL:exedescription pid process target process PID 2412 wrote to memory of 496 2412 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe cmd.exe PID 2412 wrote to memory of 496 2412 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe cmd.exe PID 2412 wrote to memory of 496 2412 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe cmd.exe PID 496 wrote to memory of 416 496 cmd.exe aluR8m.exe PID 496 wrote to memory of 416 496 cmd.exe aluR8m.exe PID 496 wrote to memory of 416 496 cmd.exe aluR8m.exe PID 416 wrote to memory of 1112 416 aluR8m.exe 1LLDO:exe PID 416 wrote to memory of 1112 416 aluR8m.exe 1LLDO:exe PID 416 wrote to memory of 1112 416 aluR8m.exe 1LLDO:exe PID 2412 wrote to memory of 4036 2412 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe kosJKJL:exe PID 2412 wrote to memory of 4036 2412 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe kosJKJL:exe PID 2412 wrote to memory of 4036 2412 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe kosJKJL:exe PID 4036 wrote to memory of 1528 4036 kosJKJL:exe net.exe PID 4036 wrote to memory of 1528 4036 kosJKJL:exe net.exe PID 4036 wrote to memory of 1528 4036 kosJKJL:exe net.exe PID 4036 wrote to memory of 3052 4036 kosJKJL:exe net.exe PID 4036 wrote to memory of 3052 4036 kosJKJL:exe net.exe PID 4036 wrote to memory of 3052 4036 kosJKJL:exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exe 22⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exeC:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exe 23⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\1LLDO:exeC:\Users\Admin\AppData\Local\1LLDO:exe 3 C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\kosJKJL:exeC:\Users\Admin\AppData\Local\kosJKJL:exe 1 C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view3⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view \\RSSLLXYN3⤵
- Discovers systems in the same network
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 392 -s 71041⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 392 -s 71881⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\cversions.2.dbMD5
ac43cc8da9cb3fb5bedbc3e5b9d9c44b
SHA1697367119e627c1be27cd86e0dce98b6987f05a8
SHA2563f8f00035833cfd74d64b03ee8bc2952728c1a1f248211781a9c24f1f75d4a68
SHA5127b093eeeee05f858708e538a9aafb5e76cbcf426ead8bb2f6fcd4264b61c35dc9a4ebed67c3b0e1c1b166bb5de4c6f4d4c5d1b4f8b14d00f08f7168b902529fc
-
C:\Users\Admin\AppData\Local\1LLDO:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\1LLDO:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.dbMD5
dadd366ab1152f68b38ce1ab230990df
SHA12628b6371b08837ce1f319f209499fb390333279
SHA2562b577056cb197795ac117e9ace17027b48d42fec63641d086f46191f37df8828
SHA5125f37d3e270c9bba26f04c5f72769055c4d82a5bdcc84b90fd90fb2f549f0abdc33a34c32928f0e6fb88a8d4eca279819ff5c112f74af29aec9a0f3931f1db38d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.3.ver0x0000000000000001.dbMD5
19f84ea3fab4132d5044f8a35d1f8796
SHA1b30d1d80ade09203807b753a049811c6b7276386
SHA256add8434053f73ee6a960a5e1dca1f72e059a349fa2bf7d6ed83f1637b79b8cb1
SHA512780bbbe083b1b978af74e7d1b7747950c4c04a3b292c1601bed4d4690ce6dfd95035112d7ebafde011faaea764a9b2716ac17b4064a091415c1420d6b9af0cda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\counters2.datMD5
d6cd101ed81f35516610222b6814042b
SHA12e3660d95aa941b0f6270fd9003ace1bb41902e5
SHA256a690d50e9a9500b05b9a459e64a36227c2a3a4ce8ef637819003ad72841659b0
SHA512e4766dc395578997cc7905707e59da4c678cecd6f16f40c4033b4f4f85a936b1d79e23b829f5957880b3977c870b324f6adc90fb7f6b15051b7a2b58e23cba05
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4032412167\2690874625.priMD5
6fcb6c89d8d5bb045a017720f61ce2cb
SHA161d1533654f577051fc727619a5ddaa2c78a6f67
SHA25619a8d7b9343b628082b251dd110502d953a91c2adc596222bcacab1b32eb4546
SHA512b934bd6ec2c557f06e7d337ff7ac87ed54e869193f1b471303911cbb2bf458961f345970bdd56bcafe428eb1a4a082a217a0feb54d2fee2c3a44f43fcec95f5c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Windows\1601268389\3068621934.priMD5
96e6252fb6b02b98439c87a0c59fe505
SHA10658b8ed5195697e85ce50590d851c3c0c96a0c0
SHA2564defd2bca9d0c6c68c76d9e2ed95ee2f3ff884c69d1630d8a926ff479b67c65a
SHA51267ef437e1f2d0095c282538070043cc1c9bfbbddeb82c1e429fe1b14cdb2a745ac168f1c87716153cb65cbe91b708403df042998705e829f9ffb789c5104c709
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\AC\Microsoft\Windows\4032412167\2690874625.priMD5
6fcb6c89d8d5bb045a017720f61ce2cb
SHA161d1533654f577051fc727619a5ddaa2c78a6f67
SHA25619a8d7b9343b628082b251dd110502d953a91c2adc596222bcacab1b32eb4546
SHA512b934bd6ec2c557f06e7d337ff7ac87ed54e869193f1b471303911cbb2bf458961f345970bdd56bcafe428eb1a4a082a217a0feb54d2fee2c3a44f43fcec95f5c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\AC\Microsoft\Windows\4183903823\1195458082.priMD5
2228c467ea0ebfe0080106d30a7ae6f0
SHA156f35a7ae6eef9db110b7cf008c1e43e68af7cb6
SHA256f6c050c6655b8ac3e145ee48756cbdfb8fa73dd3cb3ddec9eb51cb4d2225f190
SHA512d938f77b1654062887f2fd0de912abcdea7f5521590d40c95d5792c82bed8e99fe70041bee2393f6b712463a6d23050da7f0dffa678c0662b14e63cf2e4d3bec
-
C:\Users\Admin\AppData\Local\kosJKJL:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\kosJKJL:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
memory/416-116-0x0000000000000000-mapping.dmp
-
memory/496-115-0x0000000000000000-mapping.dmp
-
memory/1112-119-0x0000000000000000-mapping.dmp
-
memory/1528-125-0x0000000000000000-mapping.dmp
-
memory/3052-126-0x0000000000000000-mapping.dmp
-
memory/4036-122-0x0000000000000000-mapping.dmp