143aa60d44f38ae8a99ce6b5dbdb80412e2c32fcf8f50b5bd1aee46a3f5a4b40

General

Target

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
Size

12.0MB
MD5

a067491773524cf499e7a0bc77ceec96
SHA1

e8034dfd3468dcd3d5a6d09f3fde7f63dcc9ec13
SHA256

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457
SHA512

c759d0ace38c842f98d4a9d4a8cc342c89d40ab4238ff52625db13a4e50714aedf701798f6ea22e755e3599c4e002b4ba49ed3f9b06c56e4d95ac7ce6800fa4c
SSDEEP

98304:QnLu1TIRtUOV5ZQ+5jZArLu1OWWqXpy05QP:QnTRtBYk405QP

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Readme_Instructions.html

Ransom Note

<!DOCTYPE HTML> <html><head><title>infected with ransomware virus</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"> </head> <body style="margin: 0.4em; font-size: 14pt;">!!!    Your files are encrypted  !!! *All your files are protected with encryption* *There is no public decryption software.* *All files/documents/software with ".CRYPT" extension is encrypted* ###### Program and private key, What is the price? The price depends on how fast you can pay us.!###### 1 day : 50 Bitcoin 2 day : 60 Bitcoin 3 day : 90 Bitcoin 4 day : 130 Bitcoin 5 day    : permanent data loss !!!! ***How to contact our team through tox chat*** *Download tox chat from *<a href="https://tox.chat/download.html">https://tox.chat/download.html</a> *send us friend request to tox chat id 7D8796EB86CBF29F53F8A8447EABAF310ED898D9DEFF97AE09C1864C2A6B3B14ED8F82AE9B9D *Our team is waiting* !!!!For immediate decryption!!! write to our email: <a href="mailto:decryptorsoftware@xyzmailpro.com">decryptorsoftware@xyzmailpro.com</a> *After payment received, we will send private key to your IT department.!!!* *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.* !!! We have downloaded all your files to our servers and will release data if you do not comply.!!! !!! Do not attempt to decrypt your data using third-party software, this will result in permanent data loss.!!!</body></html>

Emails

href="mailto:decryptorsoftware@xyzmailpro.com">decryptorsoftware@xyzmailpro.com</a>

URLs

http-equiv="X-UA-Compatible"

Extracted

Path

C:\Users\Admin\Desktop\Readme_Instructions.html

Ransom Note

!!! Your files are encrypted !!! *All your files are protected with encryption* *There is no public decryption software.* *All files/documents/software with ".CRYPT" extension is encrypted* ###### Program and private key, What is the price? The price depends on how fast you can pay us.!###### 1 day : 50 Bitcoin 2 day : 60 Bitcoin 3 day : 90 Bitcoin 4 day : 130 Bitcoin 5 day : permanent data loss !!!! ***How to contact our team through tox chat*** *Download tox chat from *https://tox.chat/download.html *send us friend request to tox chat id 7D8796EB86CBF29F53F8A8447EABAF310ED898D9DEFF97AE09C1864C2A6B3B14ED8F82AE9B9D *Our team is waiting* !!!!For immediate decryption!!! write to our email:decryptorsoftware@xyzmailpro.com *After payment received, we will send private key to your IT department.!!!* *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.* !!! We have downloaded all your files to our servers and will release data if you do not comply.!!! !!! Do not attempt to decrypt your data using third-party software, this will result in permanent data loss.!!!

Emails

email:decryptorsoftware@xyzmailpro.com

Signatures

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SkipBackup.tif => C:\Users\Admin\Pictures\SkipBackup.tif.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\CopyCheckpoint.raw => C:\Users\Admin\Pictures\CopyCheckpoint.raw.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\DenyAssert.crw => C:\Users\Admin\Pictures\DenyAssert.crw.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\ExpandImport.crw => C:\Users\Admin\Pictures\ExpandImport.crw.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\ExportUnblock.png => C:\Users\Admin\Pictures\ExportUnblock.png.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\MergeReset.crw => C:\Users\Admin\Pictures\MergeReset.crw.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\ProtectEnable.png => C:\Users\Admin\Pictures\ProtectEnable.png.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File renamed	C:\Users\Admin\Pictures\SetMove.png => C:\Users\Admin\Pictures\SetMove.png.CRYPT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01015_.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORTL.ICO	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Discussion.css	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\handsafe.reg	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ru.pak	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02141_.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18249_.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292982.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01356_.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00919_.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107718.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL010.XML	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\SUCTION.WAV	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\Readme_Instructions.html	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_justify.gif	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.XML	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198016.WMF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MID	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OUTGOING.ICO	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b276e26337d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C0B41E1-A357-11ED-B51C-6E705F4A26E5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e0d3d0b2889a64187c9feafe19d920000000000020000000000106600000001000020000000e2a87285371e496d661a09346c0ea0d3c0feb7ea59c8221708c67c217bb31425000000000e8000000002000020000000a77b9ae50840f809de64a1143b99fe2ec4e92a73d8101fce6e32118442c3dfd82000000001314557a31694bd2d4176b9cc2889fedd21fc765a8beb657ce015c20363c06540000000abc0da96d47893bc75e8dfc8090ba1350129f66f91006b90e9c616afc5c239733ea6a19509fdd715616ce37b5ab15844a269060d5f750f679b9e3a2b3781d4a7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382147961"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e0d3d0b2889a64187c9feafe19d920000000000020000000000106600000001000020000000942fbbb6bff3988756734a351aac562a26632b258c80634a7e0ec3385bd4cff2000000000e8000000002000020000000fe3bc9a3c2988926f0c637cd8d3833ccccf047eb4380ea7de47dab35f55b6e21900000008f0488d31a0cf4fda3d3514a6f4508f3e357cbde5416f0e6dcd4cdd0697ce2f2725ff852da671dfe0ebf6dd6993f7d2fddc3343782f8ccc93001d9e4e5cdf51c975cdb68f61bdf050ed0ff6e2a6f837f5029b0db72524f8799ee346fe7e07bc0acf0ff2e9cbf2e90e5cac4e7e346be43bfd0d2b04d039235ed2fabff582335169e75972f186369067497141ef3ac76f14000000007921f0ef761d5a50537c1d7fe87566d813a7a0b8b6217658e580666e8a877f7f5f1c2dbec4d8d9c2483cdee2437836e61fc90f1f1392cc1f46367f42c074de0	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

pid	process
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe
Token: SeIncreaseQuotaPrivilege	520	WMIC.exe
Token: SeSecurityPrivilege	520	WMIC.exe
Token: SeTakeOwnershipPrivilege	520	WMIC.exe
Token: SeLoadDriverPrivilege	520	WMIC.exe
Token: SeSystemProfilePrivilege	520	WMIC.exe
Token: SeSystemtimePrivilege	520	WMIC.exe
Token: SeProfSingleProcessPrivilege	520	WMIC.exe
Token: SeIncBasePriorityPrivilege	520	WMIC.exe
Token: SeCreatePagefilePrivilege	520	WMIC.exe
Token: SeBackupPrivilege	520	WMIC.exe
Token: SeRestorePrivilege	520	WMIC.exe
Token: SeShutdownPrivilege	520	WMIC.exe
Token: SeDebugPrivilege	520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	520	WMIC.exe
Token: SeRemoteShutdownPrivilege	520	WMIC.exe
Token: SeUndockPrivilege	520	WMIC.exe
Token: SeManageVolumePrivilege	520	WMIC.exe
Token: 33	520	WMIC.exe
Token: 34	520	WMIC.exe
Token: 35	520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	520	WMIC.exe
Token: SeSecurityPrivilege	520	WMIC.exe
Token: SeTakeOwnershipPrivilege	520	WMIC.exe
Token: SeLoadDriverPrivilege	520	WMIC.exe
Token: SeSystemProfilePrivilege	520	WMIC.exe
Token: SeSystemtimePrivilege	520	WMIC.exe
Token: SeProfSingleProcessPrivilege	520	WMIC.exe
Token: SeIncBasePriorityPrivilege	520	WMIC.exe
Token: SeCreatePagefilePrivilege	520	WMIC.exe
Token: SeBackupPrivilege	520	WMIC.exe
Token: SeRestorePrivilege	520	WMIC.exe
Token: SeShutdownPrivilege	520	WMIC.exe
Token: SeDebugPrivilege	520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	520	WMIC.exe
Token: SeRemoteShutdownPrivilege	520	WMIC.exe
Token: SeUndockPrivilege	520	WMIC.exe
Token: SeManageVolumePrivilege	520	WMIC.exe
Token: 33	520	WMIC.exe
Token: 34	520	WMIC.exe
Token: 35	520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1768 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1768 iexplore.exe
1768 iexplore.exe
1072 IEXPLORE.EXE
1072 IEXPLORE.EXE
1072 IEXPLORE.EXE
1072 IEXPLORE.EXE

pid	process
1768	iexplore.exe

pid	process
1768	iexplore.exe
1768	iexplore.exe
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 1816	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1816	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1816	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1816 wrote to memory of 520	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 520	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 520	1816	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 1208	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1208	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1208	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1208 wrote to memory of 1204	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 1204	1208	cmd.exe	WMIC.exe
PID 1208 wrote to memory of 1204	1208	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 1092	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1092	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1092	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1092 wrote to memory of 900	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 900	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 900	1092	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 1976	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1976	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1976	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1976 wrote to memory of 1960	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1960	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1960	1976	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 1624	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1624	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1624	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1624 wrote to memory of 1640	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 1640	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 1640	1624	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 1000	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1000	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1000	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1000 wrote to memory of 1632	1000	cmd.exe	WMIC.exe
PID 1000 wrote to memory of 1632	1000	cmd.exe	WMIC.exe
PID 1000 wrote to memory of 1632	1000	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 1756	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1756	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1756	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1756 wrote to memory of 1128	1756	cmd.exe	WMIC.exe
PID 1756 wrote to memory of 1128	1756	cmd.exe	WMIC.exe
PID 1756 wrote to memory of 1128	1756	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 652	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 652	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 652	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 652 wrote to memory of 624	652	cmd.exe	WMIC.exe
PID 652 wrote to memory of 624	652	cmd.exe	WMIC.exe
PID 652 wrote to memory of 624	652	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 1708	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1708	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1708	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1708 wrote to memory of 588	1708	cmd.exe	WMIC.exe
PID 1708 wrote to memory of 588	1708	cmd.exe	WMIC.exe
PID 1708 wrote to memory of 588	1708	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 1924	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1924	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 1924	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1924 wrote to memory of 1084	1924	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 1084	1924	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 1084	1924	cmd.exe	WMIC.exe
PID 1096 wrote to memory of 960	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 960	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 1096 wrote to memory of 960	1096	134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe	cmd.exe
PID 960 wrote to memory of 1092	960	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
"C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8F5D795-5C3A-4769-A0A2-D3487F70F069}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8F5D795-5C3A-4769-A0A2-D3487F70F069}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B618271D-B239-482D-AFD5-7A50C9A50BAE}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B618271D-B239-482D-AFD5-7A50C9A50BAE}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA422079-C14A-49DA-B3EC-82273B6CF696}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DA422079-C14A-49DA-B3EC-82273B6CF696}'" delete
3⤵
PID:900

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{734396EA-1826-43DB-B98D-E35D8F7D9CC2}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{734396EA-1826-43DB-B98D-E35D8F7D9CC2}'" delete
3⤵
PID:1960

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{30A33652-DC7F-4339-ABB7-817FF1FBC717}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{30A33652-DC7F-4339-ABB7-817FF1FBC717}'" delete
3⤵
PID:1640

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A5A770FD-9640-457C-8524-28B99A08B1DD}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A5A770FD-9640-457C-8524-28B99A08B1DD}'" delete
3⤵
PID:1632

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{99C8D04A-818D-4A47-B362-485EB73813BD}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{99C8D04A-818D-4A47-B362-485EB73813BD}'" delete
3⤵
PID:1128

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77837457-EA6F-4186-BFB1-35A1E4FB5AC8}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77837457-EA6F-4186-BFB1-35A1E4FB5AC8}'" delete
3⤵
PID:624

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4F046BF2-0712-465A-AA1F-BED0DAC14995}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4F046BF2-0712-465A-AA1F-BED0DAC14995}'" delete
3⤵
PID:588

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42C454BB-4ECD-4764-9CA9-EA47C9016450}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42C454BB-4ECD-4764-9CA9-EA47C9016450}'" delete
3⤵
PID:1084

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4251BF33-9FB5-485E-9DD2-2AA975A61DA3}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4251BF33-9FB5-485E-9DD2-2AA975A61DA3}'" delete
3⤵
PID:1092

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5BE2DB2-82FB-45CC-A7AE-B6E48AF616B0}'" delete
2⤵
PID:576

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5BE2DB2-82FB-45CC-A7AE-B6E48AF616B0}'" delete
3⤵
PID:1516

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3EA34D6-0D83-420F-9FDB-BCB8B282ABD3}'" delete
2⤵
PID:1676

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3EA34D6-0D83-420F-9FDB-BCB8B282ABD3}'" delete
3⤵
PID:1484

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C7453FC-F46B-48FE-953C-7C693DE44F6C}'" delete
2⤵
PID:360

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C7453FC-F46B-48FE-953C-7C693DE44F6C}'" delete
3⤵
PID:1072

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A19866EC-B042-4C15-8E3B-C50FE041BDA6}'" delete
2⤵
PID:1520

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A19866EC-B042-4C15-8E3B-C50FE041BDA6}'" delete
3⤵
PID:1100

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4F203A0-643F-44F5-B71A-61C6A2753C7F}'" delete
2⤵
PID:1988

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4F203A0-643F-44F5-B71A-61C6A2753C7F}'" delete
3⤵
PID:1712

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4A230E8-3D41-4EEA-BF73-3F5BFAFE1A25}'" delete
2⤵
PID:776

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4A230E8-3D41-4EEA-BF73-3F5BFAFE1A25}'" delete
3⤵
PID:580

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D39A855D-FA6E-419D-A76F-8E1FFB870B4F}'" delete
2⤵
PID:452

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D39A855D-FA6E-419D-A76F-8E1FFB870B4F}'" delete
3⤵
PID:976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Readme_Instructions.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0C0B41E1-A357-11ED-B51C-6E705F4A26E5}.dat
Filesize
5KB

MD5
3b9b56f2f7434887868f6bf2b9debfba

SHA1
ee0c003817f76bf46c9c4dcb07caebc8adcc9722

SHA256
194a52c1744c141b68157fc3580bc82f054f83a1ab69662230ba409e74513787

SHA512
43179b04b366e7278f00d4b4ee1b8a4162bcca5fcffd00cb19f6d7927364bee0fda37d3decd3d5f09a4dbf79dd84e74188a649ccdc9019578f639e0ca2721d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0C0B41E3-A357-11ED-B51C-6E705F4A26E5}.dat
Filesize
4KB

MD5
ac87f5ea117a39c0815afcf69bc2a121

SHA1
41123f04199c03a069518eff6da76b1ed1e741b3

SHA256
f0dfe6cd13670f29b9a495d4d3294e21b32997fe3fc03fde4190fb3f2b24a48f

SHA512
71e1b4754b1011adeea424f9d12ad33fbce5d7c555d55deadf3568c105fdee929fa95f6bcae3c252d22b683a7803c374b42c306f0b22c90bdfd98419f61accd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0C0B41E4-A357-11ED-B51C-6E705F4A26E5}.dat
Filesize
3KB

MD5
e86a246535e7300419c1ca182fde46ab

SHA1
a59b474bba2ec981a71507d1eebf02eb292dff4c

SHA256
75d14031bd101e89577fa60ce36d5dcf4240bfb4dc904393dea5f6d267929ded

SHA512
7e8760eaa46516c4d355ac3ae3006835f525416c8bb679936a2782cc91f44cbd25347071d6a6ff855432172c7f3079af2f2492d840a6149c34cdfb0bf3f86d09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\Readme_Instructions.html
Filesize
1KB

MD5
9ae54b4efc9f30245782c6001f69b120

SHA1
3de64c5e9732699b76510728e43f408c131a995e

SHA256
cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37

SHA512
fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\Readme_Instructions.html
Filesize
1KB

MD5
9ae54b4efc9f30245782c6001f69b120

SHA1
3de64c5e9732699b76510728e43f408c131a995e

SHA256
cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37

SHA512
fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Readme_Instructions.html
Filesize
1KB

MD5
9ae54b4efc9f30245782c6001f69b120

SHA1
3de64c5e9732699b76510728e43f408c131a995e

SHA256
cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37

SHA512
fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SIUOQIRU.txt
Filesize
605B

MD5
6bf004e6059732805c173ac9812e241d

SHA1
8fb7637f6be4ea9e98b291e811fcc34d4e2691ad

SHA256
be9296b5661d0bf7350192da137658202b92ad67fb37fdbf042c54f2a7c0de6a

SHA512
4e0093f83ce72f2bd0f879f44024fc48ec81d14f263eef1457b3570ce0e1b2261a5dd50ff7a30c272cc662083b4d344b40e1e2ec1f1276298a49df77d4969086

Download Submit
C:\Users\Admin\Desktop\Readme_Instructions.html
Filesize
1KB

MD5
9ae54b4efc9f30245782c6001f69b120

SHA1
3de64c5e9732699b76510728e43f408c131a995e

SHA256
cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37

SHA512
fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75

Download Submit
memory/360-80-0x0000000000000000-mapping.dmp

Download
memory/452-88-0x0000000000000000-mapping.dmp

Download
memory/520-55-0x0000000000000000-mapping.dmp

Download
memory/576-76-0x0000000000000000-mapping.dmp

Download
memory/580-87-0x0000000000000000-mapping.dmp

Download
memory/588-71-0x0000000000000000-mapping.dmp

Download
memory/624-69-0x0000000000000000-mapping.dmp

Download
memory/652-68-0x0000000000000000-mapping.dmp

Download
memory/776-86-0x0000000000000000-mapping.dmp

Download
memory/900-59-0x0000000000000000-mapping.dmp

Download
memory/960-74-0x0000000000000000-mapping.dmp

Download
memory/976-89-0x0000000000000000-mapping.dmp

Download
memory/1000-64-0x0000000000000000-mapping.dmp

Download
memory/1072-81-0x0000000000000000-mapping.dmp

Download
memory/1084-73-0x0000000000000000-mapping.dmp

Download
memory/1092-58-0x0000000000000000-mapping.dmp

Download
memory/1092-75-0x0000000000000000-mapping.dmp

Download
memory/1100-83-0x0000000000000000-mapping.dmp

Download
memory/1128-67-0x0000000000000000-mapping.dmp

Download
memory/1204-57-0x0000000000000000-mapping.dmp

Download
memory/1208-56-0x0000000000000000-mapping.dmp

Download
memory/1484-79-0x0000000000000000-mapping.dmp

Download
memory/1516-77-0x0000000000000000-mapping.dmp

Download
memory/1520-82-0x0000000000000000-mapping.dmp

Download
memory/1624-62-0x0000000000000000-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1640-63-0x0000000000000000-mapping.dmp

Download
memory/1676-78-0x0000000000000000-mapping.dmp

Download
memory/1708-70-0x0000000000000000-mapping.dmp

Download
memory/1712-85-0x0000000000000000-mapping.dmp

Download
memory/1756-66-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x0000000000000000-mapping.dmp

Download
memory/1924-72-0x0000000000000000-mapping.dmp

Download
memory/1960-61-0x0000000000000000-mapping.dmp

Download
memory/1976-60-0x0000000000000000-mapping.dmp

Download
memory/1988-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads