Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-11-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.PornoAsset.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.Win32.PornoAsset.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
HEUR-Trojan-Ransom.Win32.PornoAsset.exe
-
Size
627KB
-
MD5
6528aeb4bc362743ae95a66ccfbdaf8b
-
SHA1
1f9397b14eed25d1d138ec6259f95c8646e8cb92
-
SHA256
1c262831ed06eee457cc053a903ac16bc5dfbc11386bf89f1caeedb7d02a3739
-
SHA512
62e63ae6c8bf9bb93c26470da4f0b2c8ade6fad3d621bbd9c78a449c3caedafe971bbe105790a21cc5f66d0da47c7b4774e31aa1e37dd6ddde422557b694dc74
-
SSDEEP
12288:or3TTrym3e1k7weffYuKm5PScLLgMK1NJbChWI:oT/X3vMeXYuKuSsLg31NNPI
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe dxnote32.exe" dxnote32.exe -
Executes dropped EXE 64 IoCs
pid Process 1316 dxnote32.exe 896 dxnote32.exe 1780 dxnote32.exe 796 dxnote32.exe 972 dxnote32.exe 520 dxnote32.exe 1616 dxnote32.exe 1192 dxnote32.exe 1188 dxnote32.exe 1140 dxnote32.exe 1728 dxnote32.exe 1708 dxnote32.exe 1776 dxnote32.exe 976 dxnote32.exe 1880 dxnote32.exe 304 dxnote32.exe 1672 dxnote32.exe 1940 dxnote32.exe 1612 dxnote32.exe 1720 dxnote32.exe 1312 dxnote32.exe 1744 dxnote32.exe 2032 dxnote32.exe 1692 dxnote32.exe 1408 dxnote32.exe 852 dxnote32.exe 1532 dxnote32.exe 756 dxnote32.exe 560 dxnote32.exe 1704 dxnote32.exe 1308 dxnote32.exe 1756 dxnote32.exe 1604 dxnote32.exe 892 dxnote32.exe 944 dxnote32.exe 556 dxnote32.exe 108 dxnote32.exe 364 dxnote32.exe 808 dxnote32.exe 1892 dxnote32.exe 616 dxnote32.exe 1588 dxnote32.exe 1732 dxnote32.exe 1996 dxnote32.exe 1900 dxnote32.exe 268 dxnote32.exe 1092 dxnote32.exe 1224 dxnote32.exe 956 dxnote32.exe 2000 dxnote32.exe 1476 dxnote32.exe 1516 dxnote32.exe 936 dxnote32.exe 1404 dxnote32.exe 1624 dxnote32.exe 824 dxnote32.exe 1440 dxnote32.exe 1908 dxnote32.exe 884 dxnote32.exe 1148 dxnote32.exe 1340 dxnote32.exe 820 dxnote32.exe 1928 dxnote32.exe 2016 dxnote32.exe -
Loads dropped DLL 64 IoCs
pid Process 1556 HEUR-Trojan-Ransom.Win32.PornoAsset.exe 1556 HEUR-Trojan-Ransom.Win32.PornoAsset.exe 1316 dxnote32.exe 1316 dxnote32.exe 896 dxnote32.exe 896 dxnote32.exe 1780 dxnote32.exe 1780 dxnote32.exe 796 dxnote32.exe 796 dxnote32.exe 972 dxnote32.exe 972 dxnote32.exe 520 dxnote32.exe 520 dxnote32.exe 1616 dxnote32.exe 1616 dxnote32.exe 1192 dxnote32.exe 1192 dxnote32.exe 1188 dxnote32.exe 1188 dxnote32.exe 1140 dxnote32.exe 1140 dxnote32.exe 1728 dxnote32.exe 1728 dxnote32.exe 1708 dxnote32.exe 1708 dxnote32.exe 1776 dxnote32.exe 1776 dxnote32.exe 976 dxnote32.exe 976 dxnote32.exe 1880 dxnote32.exe 1880 dxnote32.exe 304 dxnote32.exe 304 dxnote32.exe 1672 dxnote32.exe 1672 dxnote32.exe 1940 dxnote32.exe 1940 dxnote32.exe 1612 dxnote32.exe 1612 dxnote32.exe 1720 dxnote32.exe 1720 dxnote32.exe 1312 dxnote32.exe 1312 dxnote32.exe 1744 dxnote32.exe 1744 dxnote32.exe 2032 dxnote32.exe 2032 dxnote32.exe 1692 dxnote32.exe 1692 dxnote32.exe 1408 dxnote32.exe 1408 dxnote32.exe 852 dxnote32.exe 852 dxnote32.exe 1532 dxnote32.exe 1532 dxnote32.exe 756 dxnote32.exe 756 dxnote32.exe 560 dxnote32.exe 560 dxnote32.exe 1704 dxnote32.exe 1704 dxnote32.exe 1308 dxnote32.exe 1308 dxnote32.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dxnote32 = "C:\\Windows\\system32\\dxnote32.exe" dxnote32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File created C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe File opened for modification C:\Windows\SysWOW64\dxnote32.exe dxnote32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1316 1556 HEUR-Trojan-Ransom.Win32.PornoAsset.exe 27 PID 1556 wrote to memory of 1316 1556 HEUR-Trojan-Ransom.Win32.PornoAsset.exe 27 PID 1556 wrote to memory of 1316 1556 HEUR-Trojan-Ransom.Win32.PornoAsset.exe 27 PID 1556 wrote to memory of 1316 1556 HEUR-Trojan-Ransom.Win32.PornoAsset.exe 27 PID 1316 wrote to memory of 896 1316 dxnote32.exe 28 PID 1316 wrote to memory of 896 1316 dxnote32.exe 28 PID 1316 wrote to memory of 896 1316 dxnote32.exe 28 PID 1316 wrote to memory of 896 1316 dxnote32.exe 28 PID 896 wrote to memory of 1780 896 dxnote32.exe 29 PID 896 wrote to memory of 1780 896 dxnote32.exe 29 PID 896 wrote to memory of 1780 896 dxnote32.exe 29 PID 896 wrote to memory of 1780 896 dxnote32.exe 29 PID 1780 wrote to memory of 796 1780 dxnote32.exe 30 PID 1780 wrote to memory of 796 1780 dxnote32.exe 30 PID 1780 wrote to memory of 796 1780 dxnote32.exe 30 PID 1780 wrote to memory of 796 1780 dxnote32.exe 30 PID 796 wrote to memory of 972 796 dxnote32.exe 31 PID 796 wrote to memory of 972 796 dxnote32.exe 31 PID 796 wrote to memory of 972 796 dxnote32.exe 31 PID 796 wrote to memory of 972 796 dxnote32.exe 31 PID 972 wrote to memory of 520 972 dxnote32.exe 32 PID 972 wrote to memory of 520 972 dxnote32.exe 32 PID 972 wrote to memory of 520 972 dxnote32.exe 32 PID 972 wrote to memory of 520 972 dxnote32.exe 32 PID 520 wrote to memory of 1616 520 dxnote32.exe 33 PID 520 wrote to memory of 1616 520 dxnote32.exe 33 PID 520 wrote to memory of 1616 520 dxnote32.exe 33 PID 520 wrote to memory of 1616 520 dxnote32.exe 33 PID 1616 wrote to memory of 1192 1616 dxnote32.exe 34 PID 1616 wrote to memory of 1192 1616 dxnote32.exe 34 PID 1616 wrote to memory of 1192 1616 dxnote32.exe 34 PID 1616 wrote to memory of 1192 1616 dxnote32.exe 34 PID 1192 wrote to memory of 1188 1192 dxnote32.exe 35 PID 1192 wrote to memory of 1188 1192 dxnote32.exe 35 PID 1192 wrote to memory of 1188 1192 dxnote32.exe 35 PID 1192 wrote to memory of 1188 1192 dxnote32.exe 35 PID 1188 wrote to memory of 1140 1188 dxnote32.exe 36 PID 1188 wrote to memory of 1140 1188 dxnote32.exe 36 PID 1188 wrote to memory of 1140 1188 dxnote32.exe 36 PID 1188 wrote to memory of 1140 1188 dxnote32.exe 36 PID 1140 wrote to memory of 1728 1140 dxnote32.exe 37 PID 1140 wrote to memory of 1728 1140 dxnote32.exe 37 PID 1140 wrote to memory of 1728 1140 dxnote32.exe 37 PID 1140 wrote to memory of 1728 1140 dxnote32.exe 37 PID 1728 wrote to memory of 1708 1728 dxnote32.exe 38 PID 1728 wrote to memory of 1708 1728 dxnote32.exe 38 PID 1728 wrote to memory of 1708 1728 dxnote32.exe 38 PID 1728 wrote to memory of 1708 1728 dxnote32.exe 38 PID 1708 wrote to memory of 1776 1708 dxnote32.exe 39 PID 1708 wrote to memory of 1776 1708 dxnote32.exe 39 PID 1708 wrote to memory of 1776 1708 dxnote32.exe 39 PID 1708 wrote to memory of 1776 1708 dxnote32.exe 39 PID 1776 wrote to memory of 976 1776 dxnote32.exe 40 PID 1776 wrote to memory of 976 1776 dxnote32.exe 40 PID 1776 wrote to memory of 976 1776 dxnote32.exe 40 PID 1776 wrote to memory of 976 1776 dxnote32.exe 40 PID 976 wrote to memory of 1880 976 dxnote32.exe 41 PID 976 wrote to memory of 1880 976 dxnote32.exe 41 PID 976 wrote to memory of 1880 976 dxnote32.exe 41 PID 976 wrote to memory of 1880 976 dxnote32.exe 41 PID 1880 wrote to memory of 304 1880 dxnote32.exe 42 PID 1880 wrote to memory of 304 1880 dxnote32.exe 42 PID 1880 wrote to memory of 304 1880 dxnote32.exe 42 PID 1880 wrote to memory of 304 1880 dxnote32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.PornoAsset.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.PornoAsset.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"31⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"33⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"34⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1604 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"35⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:944 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"37⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"38⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"39⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"41⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1892 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"42⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"43⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"44⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1732 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"45⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"46⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1900 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"47⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"48⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"49⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"51⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"53⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"54⤵
- Executes dropped EXE
- Adds Run key to start application
PID:936 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"55⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1624 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"57⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"58⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"59⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"60⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"61⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1148 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
PID:820 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"64⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"65⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"66⤵
- Adds Run key to start application
PID:1548 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"67⤵
- Modifies WinLogon for persistence
PID:1572 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"68⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"69⤵PID:924
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"70⤵PID:948
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"71⤵PID:1380
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"72⤵
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"73⤵
- Adds Run key to start application
PID:1248 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"74⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"75⤵
- Modifies WinLogon for persistence
PID:1800 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"76⤵PID:1648
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"77⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:1596 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"78⤵
- Modifies WinLogon for persistence
PID:1536 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"79⤵
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"80⤵PID:1352
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"81⤵PID:2004
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"82⤵PID:1164
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"83⤵PID:1964
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"84⤵PID:1364
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"85⤵PID:684
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"86⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"87⤵PID:468
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"88⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:1772 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"89⤵
- Adds Run key to start application
PID:296 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"90⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"91⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"92⤵PID:1740
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"93⤵PID:1344
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"94⤵
- Adds Run key to start application
PID:1528 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"95⤵PID:580
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"96⤵PID:1100
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"97⤵
- Adds Run key to start application
PID:1564 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"98⤵PID:1676
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"99⤵
- Modifies WinLogon for persistence
PID:1348 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"100⤵PID:1876
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"101⤵PID:1212
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"102⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"103⤵PID:284
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"104⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:1088 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"105⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"106⤵
- Modifies WinLogon for persistence
PID:1064 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"107⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"108⤵PID:1368
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"109⤵PID:1544
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"110⤵PID:1688
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"111⤵PID:1820
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"112⤵PID:1576
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"113⤵
- Adds Run key to start application
PID:1600 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"114⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"115⤵
- Modifies WinLogon for persistence
PID:920 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"116⤵PID:1632
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"117⤵
- Adds Run key to start application
PID:568 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"118⤵PID:1132
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"119⤵PID:996
-
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"120⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:1240 -
C:\Windows\SysWOW64\dxnote32.exe"C:\Windows\system32\dxnote32.exe"121⤵
- Adds Run key to start application
PID:672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-