dmalocker | d6ce2ac21b152bdace29cd88f53a8b7c5c0e78e4f49905d0ffe61e44e22966dc

Analysis

max time kernel
72s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
11-04-2022 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22CE389E63E27EB9AF106D70BEF9AF17.exe
Size

1.5MB
MD5

22ce389e63e27eb9af106d70bef9af17
SHA1

6f9187f33e079255d838b8dc31c09e58c6529727
SHA256

d6ce2ac21b152bdace29cd88f53a8b7c5c0e78e4f49905d0ffe61e44e22966dc
SHA512

80e1b6f4b1cef5d1054897cf6940f76fe1aecb105c31fa43500390c168408f01a5a33d11750bd5e2fa02fa4962a5b43254c5adf19b87744ed08ca8e62520130b

Score

10^/10

dmalocker hawkeye locky locky_osiris wannacry discovery keylogger persistence ransomware spyware stealer trojan worm

Malware Config

Signatures

DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
ransomware dmalocker
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\RVDPORT.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\ISPUPDRV.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\ISPUPDRV.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\RVDPORT.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\str.sys	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\ver2.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\etc\Hosts	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\AUTORUN.BAK	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\AUTORUN.BAK	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\str.sys	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\ver.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\ver2.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\Inf\SOCFG.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\DETPORT.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\config.json	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\ver.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\Inf\SOCFG.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\DETPORT.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\config.json	22CE389E63E27EB9AF106D70BEF9AF17.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gn46.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinApp.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iihge.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hetsm.exe.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvbdfgsd.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smile.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmsp3.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogoo.url.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\build.vbe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\files.vbe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeARMHelper.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuyghe.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JA.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppContracts.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnmanager.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csp6VUuIR4mYAMbroab1A.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wen.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BfWTjSzBAA.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.com.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EhStorAuthn.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wiawow64.Lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjydre.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ulZYCdTsml.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2vC7R7Po.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Good morning DECRYPT FILES.jpg	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oaxiszhzqywdcvy.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ndiso.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nesy.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgcro.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.com.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A859A2.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browseui.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jhnysglllmplcxv.eu.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qkYTRdrwMd.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaKZR9x9.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UNPUXHost.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.vbe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!#_RESTORE_FILES_#!.inf	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HFePKnTbhy.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\itunes.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vcdfcfghjghtkhjbnvgh.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svs.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jghcve.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mauverlite.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BxjUOFQUZX.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbvredgs.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!#_READ_ME_#!.hta	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gBWXXQuzYx.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfgh.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgisdp.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zentom System Guard.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drhd.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nctwe.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerTray.ini.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppointmentApis.Lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT	22CE389E63E27EB9AF106D70BEF9AF17.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run	22CE389E63E27EB9AF106D70BEF9AF17.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SYSTEM32\binarysoundx.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\SUWOVEKU	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\MSWMPDAT.TLB	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\REGEX.FNR	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\KERNEL.BIN	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\RUN.REG	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\VERSION.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Windows Defender host	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Task Gpu update	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\UDP Service Task	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\System\SecurityService	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tempxyz.dll	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\NETDX.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\abengineOff.ini	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\CSLSS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Winsys.bat	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\zdengine.ini	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\MODEL.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\wow64	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\BrowserStorage	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WINLOG2.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\ism	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\UNIQ.TLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\SX.HTM	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\oem8735.inf	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\___t	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Home lan application	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Home http service	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Win Direct Tools	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\RUN.REG	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\ENVIADOS.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\svnosht.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\CompFit Application	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\csrss	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Ms Net 14.0 libraries	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Ms new library	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\___t	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Task Health Application	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Visual Extensions	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\TBPS.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\nirc.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\binarysoundx.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Udsknke1	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\cIOOhjLCvz	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WEB.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\SystemCO	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\SFKLG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\skdbn.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\WinNetworkTask	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\DELSELF.BAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\DPI Service Task	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\svhost	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\NlsLexicons00mmx.dll	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\NlsLexicons00ssx.dll	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\CRT.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\gpu driver	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Gpu Settings	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Net libraries	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\WINVIEW.OCX	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Milieukravene	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\VMWare Central Connector	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\{4EA29966-F266-4038-80A9-1DEC42740035}	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\OT.ICO	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\MSUPDATE.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ONLO0R.OBK	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\WebRebates4\Websrebates\Webtrebates\toprC0.htm	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\JS.MUI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Adobe\pdf.exex	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Outlook Express\KLOG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\VERSION.TXT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\X.BMP	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Lycos\Sidesearch\OFFLINE.HTM	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\ACPI.VXD	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Messenger Plus! Live\Scripts\hola\hola.js	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\installESP.log	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Messenger\KLOG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Adobe\pdf.exe.config	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Movie Maker\KLOG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\NetMeeting\KLOG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Common Files\Systems\PINKS.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\Windows Update.exe.config	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\JustClicking\home.bat	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\DMLCONF.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Mozilla Firefox\searchplugins\fcmdSrch.xml	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Adobe\pdf.ex_	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Assembly\System.exe.config	22CE389E63E27EB9AF106D70BEF9AF17.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Tasks\MsNetValidator.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Task Gpu update.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Msnetcs.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Windows core .Net library .job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Drivers Update.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ms speed internet library.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\NativeLogger.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\KDCOMS.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\nav_solutions-over.gif	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\svchost.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\System\gzip.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\System\SYSTEM.VBS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\WF3.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\ÂÌ»¯.bat	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Udsknke1.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Gpu Tools.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Shell OneDrive Extensions.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SVCHOST .EXE	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\start_virus_over.gif	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Media\ssleay32.dll	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\SpeedNetworkTask.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\NetworkTask.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\{15203F7B-31CF-3999-A824-6448E629E96C}.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\O.REG	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ms dll libraries.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ms libraries.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\FullColor0.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Task Gpu health.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\HCF605.TXT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\WINHLP32.HLP	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\windowsXP_masthead_ltr.gif	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\tasksche.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Crome.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Power Saves application.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SoftwareDistribution\grim.ime	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\HH.HTT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\180ax.log	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\salm.log	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\OK.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Debug\Result.dark	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\READ.TXT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Msnetc.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\MsTools.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\System Health Application.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Power Saves.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\MSTECF.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ms Cloud Lan.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Power Saves.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Fonts\MSOFFICE.HTA	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Task\BitGuard.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\WindowsUpdate3.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\inf\mstoble.inf	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SoftwareDistribution\mstoble.cop	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Sysnetsf.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Windows .Net library core.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\DIDDUID.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\X2014	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\ime\tps.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Rosinbrdet5.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Shell Applications Extension.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\System32FarrEl.dat	22CE389E63E27EB9AF106D70BEF9AF17.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E141CDC5-18F7-408A-84C3-17614B543415}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EC907E16-983A-4B9B-859B-547C826CAF05}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2662BDD7-05D6-408F-B241-FF98FACE6054}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2ED2390A-E6F6-F895-FE75-013E2D97184A}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{37B85A21-692B-4205-9CAD-2626E4993404}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D976B84B-808C-4357-9CBB-55BF1F7CEBE7}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8804A543-42D3-4D71-9685-B0243D5526F3}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{60E2E76B-60E2E76B-60E2E76B-60E2E76B-60E2E76B}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6C69E319-0D03-47DA-997A-36586CBC53B3}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C004A8DA-623A-4409-B6ED-F3E3DA367792}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C5E84927-CFF0-4CA3-A068-02E7C01C1E7C}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C833A552-F5AF-4A7B-87B3-6EBDE0DB3B43}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{096C4D28-3F5D-44A6-88F3-9842AD843D5C}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{7802C010-19E4-42AE-BFE5-B244B488B32F}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5FCD13AC-B899-4EF7-BD3E-C959EFBFB753}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{014DA6C2-189F-421A-88CD-07CFE51CFF10}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0878F049-D33E-45E0-A157-C36A6683CF25}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{75120D8A-C869-4A41-9D18-E37BF9CC4F8A}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{87C1D2E2-F848-48CC-9A86-E69968D78860}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8AAF9204-7148-4576-8F68-016875076F73}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{45FCA2FB-D8E6-420a-A8D2-6C89FEF0385E}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{78364D99-A640-4DDF-B91A-67EFF8373045}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{81CFC095-AC7A-4B6C-9EBF-9B353A7A7EE2}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{A19EF336-01D4-48E6-926A-FE7E1C747AED}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{23B760D6-C98B-450B-9B32-26C7775CDF83}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5E5A79A6-C67B-444E-BE58-BD0ACEFCDA07}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{874443FE-AA33-4EBF-A6AC-73208787E62D}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F29D82AC-FFF2-4CF6-BF80-53DF08E23B0A}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E5646F36-145E-4F1D-B6D1-87C5EFC5BA1C}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8B3B8352-30DB-4790-B697-010DCE7BC63C}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{999A06FF-10EF-4A29-8640-69E99882C26B}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5F11D5D5-3FB2-4ADD-84AD-D69BC9A5D312}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{45C53868-BEFE-4C7E-BABF-A78B21445C01}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{AF4DA69B-E1D6-469A-855B-6445294857D4}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E321ACA5-B12F-4D2C-B786-23B0A559CB21}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{580A1F3F-89B4-433B-BBDB-B97AEB13F3FC}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB975E58-E769-4E5A-BA12-B765BC559FF3}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{370392A0-F424-11D7-A5EB-000C294A4AFA}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{929B1F30-96A0-45FA-A6B2-CD8CF67B04F1}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D1DC124D-8BC4-46D6-A3C5-454C53324F4E}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{08BEC6AA-49FC-4379-3587-4B21E286C19E}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{44BE0690-5429-47F0-85BB-3FFD8020233E}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{79A002FB-C126-462D-B4A7-81D6B42D1666}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{39E06D62-AA5E-4E40-8ADC-E22CCB4BD55C}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{78364D99-A640-4DDF-B91A-67EFF8373045}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A693E381-4431-4108-8A8D-289B7F68034E}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F5AB293C-2E21-4441-9AD8-B3646EB26DF5}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{744ED899-9428-4EDB-9658-E5E3272D7D39}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{98DBBF16-CA43-4C33-BE80-99E6694468A4}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FC2493D6-A673-49FE-A2EE-EFE03E95C27C}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6588B41B-D14A-4B61-BA0B-B6F70F054292}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{09C72999-5C10-41A3-A524-24661D942003}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{07F0A545-47BA-11D4-8A6D-0050DA2EE1BE}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{ACC647EE-991A-4811-B420-F063F50CDDC1}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FFD2825E-0785-40C5-9A41-518F53A8261F}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7E09D32C-E5E6-4184-B177-784CEE1E09C4}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FBF65A16-C9AB-465E-AECE-D2D9D5AB5E60}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EA32FB3B-21C9-42CC-B8EF-01A9B28EDB0D}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{046D6EA4-15E3-4B27-8010-45BD78A9219E}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe

Modifies registry class 53 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbsfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jsfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "JSFile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "htafile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "regfile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbefile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc\Content Type = "text/x-component"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\Content Type = "application/hta"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"%1\" /S"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\PersistentHandler	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "Regedit.exe \"%1\""	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "Notepad.exe \"%1\""	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "Notepad.exe \"%1\""	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "Notepad.exe \"%1\""	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "%SystemRoot%\\system32\\mmc.exe \"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	22CE389E63E27EB9AF106D70BEF9AF17.exe
Token: SeRestorePrivilege	444	22CE389E63E27EB9AF106D70BEF9AF17.exe
Token: SeShutdownPrivilege	444	22CE389E63E27EB9AF106D70BEF9AF17.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
444	22CE389E63E27EB9AF106D70BEF9AF17.exe
444	22CE389E63E27EB9AF106D70BEF9AF17.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 1792	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	82
PID 444 wrote to memory of 1792	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	82
PID 444 wrote to memory of 3400	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	84
PID 444 wrote to memory of 3400	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	84
PID 444 wrote to memory of 452	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	95
PID 444 wrote to memory of 452	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	95
PID 444 wrote to memory of 5000	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	85
PID 444 wrote to memory of 5000	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	85
PID 444 wrote to memory of 1444	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	93
PID 444 wrote to memory of 1444	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	93
PID 444 wrote to memory of 240	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	87
PID 444 wrote to memory of 240	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	87
PID 444 wrote to memory of 2664	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	89
PID 444 wrote to memory of 2664	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	89
PID 444 wrote to memory of 2188	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	92
PID 444 wrote to memory of 2188	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	92
PID 444 wrote to memory of 3164	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	96
PID 444 wrote to memory of 3164	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	96
PID 444 wrote to memory of 664	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	98
PID 444 wrote to memory of 664	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	98
PID 444 wrote to memory of 2912	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	105
PID 444 wrote to memory of 2912	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	105
PID 444 wrote to memory of 2244	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	100
PID 444 wrote to memory of 2244	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	100
PID 444 wrote to memory of 4188	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	101
PID 444 wrote to memory of 4188	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	101
PID 444 wrote to memory of 2952	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	107
PID 444 wrote to memory of 2952	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	107
PID 444 wrote to memory of 3920	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	108
PID 444 wrote to memory of 3920	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	108
PID 444 wrote to memory of 2168	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	110
PID 444 wrote to memory of 2168	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	110
PID 444 wrote to memory of 2364	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	124
PID 444 wrote to memory of 2364	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	124
PID 444 wrote to memory of 2788	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	113
PID 444 wrote to memory of 2788	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	113
PID 444 wrote to memory of 5112	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	114
PID 444 wrote to memory of 5112	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	114
PID 444 wrote to memory of 4720	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	122
PID 444 wrote to memory of 4720	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	122
PID 444 wrote to memory of 4436	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	116
PID 444 wrote to memory of 4436	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	116
PID 444 wrote to memory of 3864	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	117
PID 444 wrote to memory of 3864	444	22CE389E63E27EB9AF106D70BEF9AF17.exe	117

C:\Users\Admin\AppData\Local\Temp\22CE389E63E27EB9AF106D70BEF9AF17.exe
"C:\Users\Admin\AppData\Local\Temp\22CE389E63E27EB9AF106D70BEF9AF17.exe"
1⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:444
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\*.*" /a /q"
  2⤵
  PID:1792
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}""
  2⤵
  PID:3400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
  2⤵
  PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}""
  2⤵
  PID:240
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\*.*" /a /q"
  2⤵
  PID:2664
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}""
  2⤵
  PID:2188
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\*.*" /a /q"
  2⤵
  PID:1444
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
  2⤵
  PID:452
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}\*.*" /a /q"
  2⤵
  PID:3164
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}""
  2⤵
  PID:664
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}""
  2⤵
  PID:2244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
  2⤵
  PID:4188
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}\*.*" /a /q"
  2⤵
  PID:2912
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
  2⤵
  PID:2952
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\*.*" /a /q"
  2⤵
  PID:3920
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}""
  2⤵
  PID:2168
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd \\.\C:\con.sys"
  2⤵
  PID:2788
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del \\.\C:\con.ini\*.* /a /q"
  2⤵
  PID:5112
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del \\.\C:\con.usb\*.* /a /q"
  2⤵
  PID:4436
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd \\.\C:\con.usb"
  2⤵
  PID:3864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "rd \\.\C:\con.ini"
  2⤵
  PID:4720
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "del \\.\C:\con.sys\*.* /a /q"
  2⤵
  PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads