Malware Analysis Report

2024-11-15 08:48

Sample ID 220907-c1fabsahd3
Target Bws agreement 2020 (52386).zip.7z
SHA256 40de705a10469be373a15ef6ea0a0c8d3ac6aba2e0467ecf19d46fea97c2ce87
Tags
gootloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40de705a10469be373a15ef6ea0a0c8d3ac6aba2e0467ecf19d46fea97c2ce87

Threat Level: Known bad

The file Bws agreement 2020 (52386).zip.7z was found to be: Known bad.

Malicious Activity Summary

gootloader loader

GootLoader

Blocklisted process makes network request

Drops file in System32 directory

Drops file in Windows directory

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-07 02:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-07 02:32

Reported

2022-09-07 02:39

Platform

win10-20220812-en

Max time kernel

415s

Max time network

405s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Bws_agreement_2020 (cff).js"

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\system32\SearchProtocolHost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\system32\SearchIndexer.exe N/A
File created C:\Windows\rescache\_merged\4183903823\810424605.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\system32\taskmgr.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice\Hash = "5e7DVUzNNSI=" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.ADTS = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a6b029873c2d801 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.m4a = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice\Hash = "RdtaXaNPHfE=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcf9a13073c2d801 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a5d2f0d73c2d801 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice\Hash = "jcthARrsAVg=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.pdf = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice\Hash = "IpG0Qt4IjF0=" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047998d9773c2d801 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\Hash = "jpCBBDT/BCE=" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.gif = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mpv2 = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eadfc51273c2d801 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice\Hash = "vcp/wCI4ek4=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.dib = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f83ed1373c2d801 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice\Hash = "gxqIVrOf8VU=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.TTS = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.cr2 = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Bws_agreement_2020 (cff).js"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 496 500 696 8192 688

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 496 500 696 8192 688

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
IE 13.69.239.72:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 www.lovlr.com udp
DK 77.111.240.6:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
US 69.163.163.127:443 www.lukeamiller.net tcp

Files

memory/1908-115-0x0000023DD3850000-0x0000023DD3860000-memory.dmp

memory/1908-116-0x0000023DD3A00000-0x0000023DD3A10000-memory.dmp

memory/1908-117-0x0000023DD5EB0000-0x0000023DD5EB8000-memory.dmp

memory/4732-118-0x0000000000000000-mapping.dmp

memory/4208-119-0x0000000000000000-mapping.dmp

memory/4208-122-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-124-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-127-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-129-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-130-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-131-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-132-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-135-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-136-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-137-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-138-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-140-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-144-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-146-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-145-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-143-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-139-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-147-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-149-0x000001AE472C0000-0x000001AE472D0000-memory.dmp

memory/4208-148-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-151-0x000001AE474F0000-0x000001AE47500000-memory.dmp

memory/4208-150-0x000001AE474E0000-0x000001AE474F0000-memory.dmp

memory/4208-152-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-153-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-156-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-157-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-159-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-160-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-158-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-163-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-166-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-168-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-167-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-170-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-173-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-174-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-169-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-175-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-176-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-178-0x000001AE474F0000-0x000001AE47500000-memory.dmp

memory/4208-177-0x000001AE474E0000-0x000001AE474F0000-memory.dmp

memory/4208-180-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-179-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-181-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-182-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-184-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-183-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-185-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-186-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-189-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-190-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-191-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-192-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-193-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-196-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-197-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-198-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-199-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-200-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-201-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-204-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-205-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-206-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-207-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-209-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-208-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-211-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-212-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-210-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-213-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-214-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-217-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-218-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-219-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-220-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-221-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-222-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-225-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-226-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-262-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-263-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-261-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-264-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-265-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-266-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-267-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-268-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-269-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-294-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-295-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-293-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-297-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-296-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-299-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-298-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-300-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-302-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-301-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-328-0x000001AE469A0000-0x000001AE469B0000-memory.dmp

memory/4208-327-0x000001AE46790000-0x000001AE467A0000-memory.dmp

memory/4208-329-0x000001AE486A0000-0x000001AE486B0000-memory.dmp

memory/4208-330-0x000001AE486A0000-0x000001AE486B0000-memory.dmp

memory/4208-331-0x000001AE486A0000-0x000001AE486B0000-memory.dmp

memory/4208-333-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-332-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-335-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-334-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-336-0x000001AE48650000-0x000001AE48660000-memory.dmp

memory/4208-338-0x000001AE486A0000-0x000001AE486B0000-memory.dmp

memory/4208-337-0x000001AE486A0000-0x000001AE486B0000-memory.dmp

memory/4208-339-0x000001AE486A0000-0x000001AE486B0000-memory.dmp

memory/4208-344-0x000001AE474E0000-0x000001AE474E3000-memory.dmp

memory/4208-345-0x000001AE48650000-0x000001AE48653000-memory.dmp

memory/2260-346-0x0000000000000000-mapping.dmp

memory/2196-347-0x0000000000000000-mapping.dmp