Analysis
-
max time kernel
162s -
max time network
157s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
26/12/2022, 07:03
Static task
static1
General
-
Target
DCIM 2213433 (1).html
-
Size
324KB
-
MD5
853fd4b573c8edff78b8204d7a6681bc
-
SHA1
859529d1769f5b7f4faa41541b80be1ee2809ee3
-
SHA256
5b401b8c6cd16f30343f881d961b8b0d8db5de67c1edfd72a6ac067549948249
-
SHA512
a351a9088ecf2eb5b04fae901497301eb937694577d3adc830ef9119edb96817f83060236971f70cab26f936a1fffa5db8a238a7ae7fb3a6c9c38556a06fc443
-
SSDEEP
6144:R7fHlcXOXuQgW9PDWBEirw1anCzg8rldx6/0HluKZDiiHuMy5wgNzc:RxFXuE9GkY8rlae4KLHuME1o
Malware Config
Extracted
qakbot
404.52
obama227
1670928929
27.109.19.90:2078
108.44.207.232:443
156.220.0.161:993
77.86.98.236:443
23.242.141.218:2222
108.162.6.34:443
73.223.248.31:443
217.43.16.149:443
91.178.75.146:2222
193.251.52.34:2222
86.165.15.180:2222
73.36.196.11:443
24.228.132.224:2222
86.98.23.199:443
176.151.15.101:443
70.55.120.16:2222
181.164.194.223:443
69.133.162.35:443
92.154.17.149:2222
184.68.116.146:61202
90.89.95.158:2222
12.172.173.82:21
181.118.183.50:443
162.248.14.107:443
2.83.32.104:443
103.144.201.62:2078
88.126.94.4:50000
47.34.30.133:443
86.225.214.138:2222
66.90.198.204:443
50.68.204.71:993
184.176.154.83:995
92.207.132.174:2222
74.83.128.70:2083
90.194.186.175:443
142.161.27.232:2222
167.58.235.148:443
184.68.116.146:2078
124.122.55.7:443
176.142.207.63:443
198.2.51.242:993
12.172.173.82:22
75.98.154.19:443
24.142.218.202:443
70.77.116.233:443
109.11.175.42:2222
51.183.20.212:443
12.172.173.82:50001
190.24.45.24:995
76.20.42.45:443
174.104.184.149:443
80.44.148.126:2222
89.115.196.99:443
2.83.12.243:443
121.121.100.148:995
78.101.91.215:2222
98.145.23.67:443
12.172.173.82:990
197.94.86.141:443
197.0.32.186:443
91.68.227.219:443
12.172.173.82:993
92.27.86.48:2222
190.199.126.108:993
173.18.126.3:443
75.99.125.236:2222
85.241.180.94:443
178.152.27.222:443
85.7.61.22:2222
74.66.134.24:443
174.58.146.57:443
172.90.139.138:2222
103.141.50.151:995
136.232.184.134:995
173.239.94.212:443
91.169.12.198:32100
184.68.116.146:2222
24.71.120.191:443
82.6.99.234:443
2.99.47.198:2222
100.6.8.7:443
103.71.21.107:443
66.191.69.18:995
184.153.132.82:443
69.119.123.159:2222
81.229.117.95:2222
102.40.202.189:995
92.189.214.236:2222
70.115.104.126:995
217.128.91.196:2222
184.68.116.146:3389
12.172.173.82:995
73.230.28.7:443
147.148.234.231:2222
100.36.249.75:995
92.154.45.81:2222
31.53.29.245:2222
86.18.75.136:443
109.133.67.116:995
87.221.197.110:2222
152.170.17.136:443
62.102.228.245:2222
92.24.200.226:995
86.99.14.46:2222
86.96.75.237:2222
90.79.129.166:2222
190.201.157.16:443
90.119.197.132:2222
87.223.87.35:443
123.3.240.16:995
87.221.215.41:2222
65.30.139.145:995
12.172.173.82:465
75.143.236.149:443
172.117.139.142:995
58.247.115.126:995
75.158.15.211:443
116.75.63.32:443
87.65.160.87:995
76.80.180.154:995
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912} svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID svchost.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 7942aa4aa9aed801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082930f900440d345bf0071a441304c2b000000000200000000001066000000010000200000001600edca9fea4621d74b9e546a5cd078e9320b6358f0c6a5e8514000a416a032000000000e800000000200002000000093a19d6b930f372caa9fb2a8160995be86da5635e1d87c25b34da43e8b73e9ba20000000b50fdd7f220b113ac32e7b59feafb02b7718c477a2be143a9588e78e092a1e944000000008451e565d5928cdbf3478402102d74a014787ba435fc38aa599d98db1edee0539f6974300c88b2d05c19efba5594b5fffd2aba5df8d1190365e260245bf5800 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "378855352" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31004928" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31004928" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC174318-84F3-11ED-A973-6636024DB643} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31004928" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2467132866" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06729a10019d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "378823360" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2430570400" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2430570400" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f05416a10019d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082930f900440d345bf0071a441304c2b000000000200000000001066000000010000200000000278c0b1ad2b5eac32a610d195a115d838933b0c6a98af614073d251c11dfff8000000000e8000000002000020000000104a55308e8df9e27de476241db71cffe00d1ee48c1d194f21be6734c8e29eab20000000d4a807b91fd2d14b3ae4a5721a19e2f84f446a6ec550fe177f11cb82faa9a13f40000000eb9a2f03d681bc18db0fef360a27f2c223e217accd9bc4d242ae476691159c34ef327095b8151fc9e23360e2e3102259dbc5bb220066b73382ec2890c2c05870 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "378806766" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\DCIM 2213433.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 4404 rundll32.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe 3016 wermgr.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4848 rundll32.exe 4404 rundll32.exe 3844 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 792 firefox.exe Token: SeDebugPrivilege 792 firefox.exe Token: SeDebugPrivilege 792 firefox.exe Token: SeDebugPrivilege 792 firefox.exe Token: SeDebugPrivilege 792 firefox.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2496 iexplore.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 792 firefox.exe 792 firefox.exe 792 firefox.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 2496 iexplore.exe 2496 iexplore.exe 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE 2496 iexplore.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe 792 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2788 2496 iexplore.exe 66 PID 2496 wrote to memory of 2788 2496 iexplore.exe 66 PID 2496 wrote to memory of 2788 2496 iexplore.exe 66 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 3468 wrote to memory of 792 3468 firefox.exe 70 PID 792 wrote to memory of 4256 792 firefox.exe 72 PID 792 wrote to memory of 4256 792 firefox.exe 72 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 5108 792 firefox.exe 73 PID 792 wrote to memory of 4564 792 firefox.exe 74 PID 792 wrote to memory of 4564 792 firefox.exe 74 PID 792 wrote to memory of 4564 792 firefox.exe 74 PID 792 wrote to memory of 4564 792 firefox.exe 74 PID 792 wrote to memory of 4564 792 firefox.exe 74 PID 792 wrote to memory of 4564 792 firefox.exe 74 PID 792 wrote to memory of 4564 792 firefox.exe 74
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\DCIM 2213433 (1).html"1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="792.0.737918481\2116001546" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 792 "\\.\pipe\gecko-crash-server-pipe.792" 1624 gpu3⤵PID:4256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="792.3.2104103950\1854636238" -childID 1 -isForBrowser -prefsHandle 2020 -prefMapHandle 2004 -prefsLen 156 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 792 "\\.\pipe\gecko-crash-server-pipe.792" 2156 tab3⤵PID:5108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="792.13.179639219\618611813" -childID 2 -isForBrowser -prefsHandle 3216 -prefMapHandle 3284 -prefsLen 6938 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 792 "\\.\pipe\gecko-crash-server-pipe.792" 3296 tab3⤵PID:4564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="792.20.1777098363\2047863352" -childID 3 -isForBrowser -prefsHandle 4164 -prefMapHandle 3772 -prefsLen 7942 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 792 "\\.\pipe\gecko-crash-server-pipe.792" 4384 tab3⤵PID:4712
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4056
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq1⤵PID:4832
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4848 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq1⤵PID:876
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4404 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵PID:1528
-
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq1⤵PID:1068
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq2⤵
- Suspicious behavior: MapViewOfSection
PID:3844 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵PID:3824
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5b373d75a1062fd2158e3d68dab288e35
SHA1e99d234b133ae945c8e272f2df62f774cbfa51a2
SHA256a67e5caae4c6dae06ba77fc7116868376e2fffddabda276864e6b37b696502de
SHA512c0b916b9766e8224cb7ad17db485de23325754cfa4e464b670fe8b4b61c95bcb60e12891bc46bc935c3ab4022deca3ddbfb57e321186dda3a5f21522d622ac0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5f7458b51f906f46d989493532f17773b
SHA1644c7dcefecc1710bc3a461130519e9d4d53854d
SHA2565196ff4d7cceea8c8a04ebe08960e8e79af2f2766c5cb94ff2ed873e3da7978d
SHA512beeb88146ba92cf40709d021d8f1e343609313986f32c3ca98b36031cf3ce1e3c8d76f6b9d1bceba7e3c221be0460d95cf343a6ade5e0fb5c470bf08bd66fcd6
-
Filesize
615B
MD5d4bbaeb877e40befdb1319e1210df223
SHA1a0f166b8b84faa487d963af79abcb4eb0842798a
SHA2564499f03d1ac6523d1738f5c5aea14292c4ce44e1f60580701627cf899438a228
SHA512b237278b459c7ac9fcd8e212c2cdbbda60b904e9ec62d4a385f9ad4d18cdd8b60347e3b845996801d10a612ac1b51f26bdb33b1496cdd43124d5a699d043bbab
-
Filesize
615B
MD57f9b90eb6711f30952798e836d2208c3
SHA1ac808cceeb3cce71d426a4f484beb70b9ea68f95
SHA256583756e1c6918d16864d93c00670588a2143a17da46225ed22df95c6e8dc6473
SHA512c6fbd401365b5794f4f9c7366b5cc3fb4de20393f8b6d1b0201ce4235442ae34ec0cb14c747cdb499c5fe623bfb01029437ebf42c232a4604bac08ba4ac95aba
-
Filesize
348B
MD54c17b239c4e95df8082cc33bca3c46c1
SHA17ff0f8373e5f5c176cd680b5d16fa371acc01bd8
SHA256393c6b34a888d9607aad45a620e472016dea800c443be78ef175097fa8261cf9
SHA512b9ed54d1e93c7c8cf55b90d5b73a4697b025fd81db7e93c76e794af3532da6c055b96f81cb2a7d2342880c191e17a887be06795dad578f8839b3456f43d874a5