Analysis
-
max time kernel
130s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:11
Behavioral task
behavioral1
Sample
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe
Resource
win10v2004-20220812-en
General
-
Target
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe
-
Size
1.4MB
-
MD5
8901e13e8e01a6f9223c78a903d8fb46
-
SHA1
a015f096d431e42e0df67b21c4eabe4ebf2f476a
-
SHA256
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4
-
SHA512
f7ae948f33fb2270c5ea5bd150c039592edb8d1511dce1077739f17b4f91c6b43c9075a71f15248f7f94f0c159be3e5dcd189c93b7bcbc99847a8185f374ff08
-
SSDEEP
24576:q9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:q9WDAUozOUxaOyGau6I6WPDvlAAoefk1
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4468-132-0x0000000000400000-0x0000000000560000-memory.dmp family_xorist behavioral2/memory/4468-133-0x0000000000400000-0x0000000000560000-memory.dmp family_xorist -
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe:*:enabled:@shell32.dll,-1" c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 1 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\ETC\HOSTS c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Drops startup file 1 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Drops file in Program Files directory 64 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.scale-100.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-lightunplated.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-200.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-200.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256_altform-unplated.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\cstm_brand_preview2x.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-400.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60_altform-lightunplated.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\Common Files\System\ado\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-125.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-256_altform-unplated.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-100.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-200.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-100.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-40.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-100.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\measure_poster.jpg c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-125_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-250.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-250.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-200.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-100.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_altform-unplated_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\LargeTile.scale-100_contrast-black.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-30_altform-unplated.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\calls_emptystate_v3.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-200.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-200.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-100.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\SmallTile.scale-100_contrast-white.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Drops file in Windows directory 64 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription ioc process File created C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.JScript.Resources\8.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Excel\15.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Outlook.v9.0\9.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\apppatch\en-US\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\15.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\appcompat\Programs\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\apppatch\fr-FR\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.PowerPoint\15.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.JScript.Resources\8.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\apppatch\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Word.v9.0\9.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchApp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe -
Modifies registry class 43 IoCs
Processes:
SearchApp.exec1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2226" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7999" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2659" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2659" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2719" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2226" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\ = "CRYPTED!" c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2226" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7999" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2719" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2719" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015!\ = "PRPASCBHJSZLMOM" c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7999" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015! c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2659" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe,0" c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exepid process 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exepid process 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription pid process Token: SeDebugPrivilege 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SearchApp.exepid process 4548 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exedescription pid process target process PID 4468 wrote to memory of 584 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe winlogon.exe PID 4468 wrote to memory of 584 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe winlogon.exe PID 4468 wrote to memory of 584 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe winlogon.exe PID 4468 wrote to memory of 584 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe winlogon.exe PID 4468 wrote to memory of 584 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe winlogon.exe PID 4468 wrote to memory of 584 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe winlogon.exe PID 4468 wrote to memory of 668 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe lsass.exe PID 4468 wrote to memory of 668 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe lsass.exe PID 4468 wrote to memory of 668 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe lsass.exe PID 4468 wrote to memory of 668 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe lsass.exe PID 4468 wrote to memory of 668 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe lsass.exe PID 4468 wrote to memory of 668 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe lsass.exe PID 4468 wrote to memory of 768 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 768 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 768 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 768 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 768 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 768 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 776 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 776 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 776 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 776 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 776 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 776 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe fontdrvhost.exe PID 4468 wrote to memory of 784 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 784 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 784 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 784 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 784 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 784 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 892 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 892 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 892 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 892 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 892 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 892 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 940 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 940 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 940 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 940 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 940 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 940 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 1008 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe dwm.exe PID 4468 wrote to memory of 1008 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe dwm.exe PID 4468 wrote to memory of 1008 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe dwm.exe PID 4468 wrote to memory of 1008 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe dwm.exe PID 4468 wrote to memory of 1008 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe dwm.exe PID 4468 wrote to memory of 1008 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe dwm.exe PID 4468 wrote to memory of 432 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 432 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 432 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 432 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 432 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 432 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 684 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 684 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 684 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 684 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 684 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 684 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 852 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 852 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 852 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe PID 4468 wrote to memory of 852 4468 c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:668
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:584
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1008
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3456
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:4068
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:3544
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵PID:2316
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3352
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3244
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4548
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1144
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1080
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:5008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:3680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4124
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2948
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe"C:\Users\Admin\AppData\Local\Temp\c1ff7936d3eb96ab174c4411bfb95ae7ba287e0a9abb8cd26002610b62318de4.exe"2⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2544
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2328
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2308
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2160
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1212