conti | hxxp://malwaredatabase[.]byethost13[.]com/?i=1

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	regsvr32.exe

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

description	ioc	Process
File opened (read-only)	C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys	regsvr32.exe

ModiLoader Second Stage 27 IoCs

resource	yara_rule
behavioral1/memory/4992-1392-0x0000000000400000-0x000000000046EAD0-memory.dmp	modiloader_stage2
behavioral1/memory/4992-1393-0x0000000002250000-0x000000000232C000-memory.dmp	modiloader_stage2
behavioral1/memory/4992-1394-0x0000000002250000-0x000000000232C000-memory.dmp	modiloader_stage2
behavioral1/memory/4992-1395-0x0000000002250000-0x000000000232C000-memory.dmp	modiloader_stage2
behavioral1/memory/4992-1398-0x0000000002250000-0x000000000232C000-memory.dmp	modiloader_stage2
behavioral1/memory/4992-1399-0x0000000002250000-0x000000000232C000-memory.dmp	modiloader_stage2
behavioral1/memory/4992-1400-0x0000000002250000-0x000000000232C000-memory.dmp	modiloader_stage2
behavioral1/memory/4992-1436-0x0000000000400000-0x000000000046EAD0-memory.dmp	modiloader_stage2
behavioral1/memory/4992-1437-0x0000000002250000-0x000000000232C000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11097-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4992-11098-0x0000000002250000-0x000000000232C000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11108-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11150-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11156-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11162-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11165-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11189-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11254-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11255-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11256-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11257-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11268-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/4728-11278-0x0000000000C00000-0x0000000000D4A000-memory.dmp	modiloader_stage2
behavioral1/memory/2300-11301-0x0000000000E00000-0x0000000000F4A000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-11342-0x0000000000800000-0x000000000094A000-memory.dmp	modiloader_stage2
behavioral1/memory/2300-11522-0x0000000000E00000-0x0000000000F4A000-memory.dmp	modiloader_stage2
behavioral1/memory/3680-11833-0x0000000000800000-0x000000000094A000-memory.dmp	modiloader_stage2

Renames multiple (8283) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral1/memory/796-1919-0x0000000001800000-0x0000000001833000-memory.dmp	dave

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	regsvr32.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\GetMount.tiff => C:\Users\Admin\Pictures\GetMount.tiff.KCWTT	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File renamed	C:\Users\Admin\Pictures\RepairOpen.tif => C:\Users\Admin\Pictures\RepairOpen.tif.KCWTT	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File renamed	C:\Users\Admin\Pictures\SubmitMerge.tif => C:\Users\Admin\Pictures\SubmitMerge.tif.KCWTT	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File renamed	C:\Users\Admin\Pictures\UnblockShow.tiff => C:\Users\Admin\Pictures\UnblockShow.tiff.KCWTT	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File renamed	C:\Users\Admin\Pictures\UnlockBackup.png => C:\Users\Admin\Pictures\UnlockBackup.png.KCWTT	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Pictures\GetMount.tiff	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File renamed	C:\Users\Admin\Pictures\SplitSave.tif => C:\Users\Admin\Pictures\SplitSave.tif.KCWTT	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockShow.tiff	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File renamed	C:\Users\Admin\Pictures\DismountSelect.tif => C:\Users\Admin\Pictures\DismountSelect.tif.KCWTT	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe

Executes dropped EXE 5 IoCs

pid	Process
3928	af057b134b3927bf81bbaacf500577cfdacf96a944a8e6cc9355d346ebe54ebe.exe
4992	f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe
796	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
1956	af057b134b3927bf81bbaacf500577cfdacf96a944a8e6cc9355d346ebe54ebe.exe
4976	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\1dfb4\\028df.bat\""	regsvr32.exe

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	regsvr32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 4728	4992	f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe	113
PID 4728 set thread context of 2300	4728	regsvr32.exe	114
PID 2300 set thread context of 3680	2300	regsvr32.exe	115

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-PT.pak	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White.png	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\ui-strings.js	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\export.svg	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\en-US\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-disabled_32.svg	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nl-nl\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\ui-strings.js	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\de.pak.DATA	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_en_135x40.svg	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\ui-strings.js	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\notepad.exe	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
File opened for modification	C:\Windows\notepad.exe	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af3d8f239da1ee4781564250a1f116a900000000020000000000106600000001000020000000ed2a3047288eb65b8ed9668eaea93138fd29489fe58524d137117c4923b8cc33000000000e8000000002000020000000cd8be3ff50aa064cf55e93eeb9ad417781cfc585139e26f6559b39fe61edc51c500100002f4fe83d939ef36d31cb512647ddb0ef0498e02e92ab1bf73cc79629e6b24b7649514a721f4a8b69b1f402516cd0041500ad9f1df60d86f7574c4e3db3f76e17226acf30f1e53e5fe2ffefdbb737cc7c41f6fc0faeb5bfc487fd3b62c669d99b7b96a6e7b3f4028fd8d19eac2168381f22fd54359e352b07baf5ab9f571b9209e4d8fc9aa99a1ee114abdc5fd4d158074b46744f8bbe2aac037ff7ec189ee32109dab6845490a024c86340c67f4f66efe78ae86024703c2b5f86c059113c190bd170de28076deee46068c6d2231725ee3e77daba479be28f2a6c5570f7223e28c6c5259dfdc68b83209b996aa23206a78f7bbfea610004306ebe989bc88754d3a1b8d7fe549db8549986ced7c5c128754a5348ac8cae78c8d17e953f5a7b64166115872194bb1167615d21732ff1d431f9511d3ec4b10071dd8d1ab962b1ca563d34aa4107d5648d1032f5ad00e2493a400000003ef28136eee418bd46b94bea6e125e74cd526fcc7cb4ac81671978f1b44b40c9f1a49244d372b92650658c9069a00f6eadfca91a98f3567664ab23365de2b9d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af3d8f239da1ee4781564250a1f116a900000000020000000000106600000001000020000000f7c07264ffa446cb0e51046b0ef9081b0bfd56fd26092adbb50f2d61538ed777000000000e8000000002000020000000b90fe628ff9c5bcbb31d15f4ebbf876aff7b9e1130d30d1bf2590bcd78b3d74120000000950283808f932e47dea6e3f644bf9f6365adbab5ee528daf63bc401748bca08e4000000065de6feb57b1272ee4770794676e7fc25a5d4012d7a646fd2613aa1da2e4006986728bb275c3729d29535c494a84c54a478e0cbb7211c87d06d96ab57a64188e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31037140"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04d36b8d496d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af3d8f239da1ee4781564250a1f116a900000000020000000000106600000001000020000000f4124f3025165791ff0b24682cebce8220ae09776d6b5f91e62e9a4c0b45b14d000000000e8000000002000020000000e71fb9f99d23976c31599ddc2e7ae5346558fdd93f50ff810b08a8c7a7a6c13c900100009b3ec4c39b1a7af1b7c5ae55a4316e17ff7b34d26b1ac048d343759e97628ca903fdd540b983ab77b5ccec42c19c66785aecfcd6620f73ea35a13bd08514abf6685197cc963fa857619b267e9a49aec4c0173cbba4fc02e479ad789c1ce7be00c121e163a90cf62bc0b73da4cc24b0860d6dbde7cdd4275dc20805f644f016f08f77afd627292ff9ce75934b30ad8d061b2de38833c29a34295728efd0f38737881412ba3380095cdb205c335bfc3d5f099fac374d01f3221d349a9a329a4694e036249778818160b83446035538d9e5feb3764a56e7ab9d3495fe7a5cc2f004964c2b9ba1e88cbb96e7c951f0e1ab07374717815ae107e0ee927e929ea66bcb96a3774df825958f5aa03fd87105b88eb6adf0ed4d1889fa93e4f62d80457475c947887c4b6dbdc1a2bcd98ce816c631d96c4975bf5bc13d1a5dd4ef45b43581b474885564606a50711314e6ae9bc5e3602a60e932bdf2a07b64313984d0dc3f6101fca7630a2d9552d7ad89ea7c0364a30afa1e5c2d800b1bdc705f318538d07358c6fb359d9c20e620aafacaff0a7a400000006ed55910bc491d26cd1424ab5417a1296481bb500269c598546b33968e7db1d706f1887e0c8ca5f5465c85392daa7d533a66aeebf042cff93b771211b808c137	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00ffbecd496d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af3d8f239da1ee4781564250a1f116a9000000000200000000001066000000010000200000007ddc29e4478034e1010c862aa614976467b8092a682eb367ca2e8827ad87e502000000000e80000000020000200000008140b009e1491f929bf3e9c8785be99a6393b2bbd973e0dea9973bc70a53357e500100006575abff7f9d855b9cb81e0ef83ac2a4d31844489636a0acb416a773cc3fa7ac1b5476262e2a23c43b5d6c88903639946b2d1813eb8e52a103d6a73625c1c9095eef10da755a121163b22a598cbda0d529000a910374bbf837cad28b5b4019ecb044894d41948ce88760574335e68a0395f1f7297b17a58b48f23b66bcab5811d6c55effedb0a80bbac54c72fb64e991a8268d7b009273c2221af7987d5f34df3d5d676c4856b589debfc6d3e06c4c4f23fb8227b90363a675b56302915e1066d19b32e87c939684f7590a0cf9a712c874ca88e61c6fe6e26a8675f28c52a2c7098dd567832c1ec25a5dcb78c0891d6bbea11db643c619391f934e53858de3c423ec4c19a287f4ad5ab80a7ded3ea4ff82ab8744956e262d5601c7afa57525340aa61de6349c5fb2fc73d7618a7fb365b1293cc915f3267ba2555f58fcc2425084f1f2a64e644f7fcff294ed81bd88e34000000037c87a789040418d1b9e24442919d4103ddf34d6bb7ac3efeb1556495104d815362ebf3e5a2510b81b7b1f6d0e9c358be93818c07c4520764a2ea4d48490d585	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EAD51627-02C7-11EE-9F77-6A765FEA1DF2}.dat = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392641791"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F19A2FEF-02C7-11EE-9F77-6A765FEA1DF2}.dat = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3215569817"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3215569817"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31037140"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31037140"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3347288972"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af3d8f239da1ee4781564250a1f116a900000000020000000000106600000001000020000000d03172e9f08fa569a8f33102d83dec62d8eefb270772a10ef20582e98655abb4000000000e80000000020000200000001b1698ac6a70998d22fe80530b8e6308b6709e34bad9b1af528f01fdf95aea8920000000c0a38264dce781a621a352aabc51f6f0583c08ff3e1513c152f382c61575d2ba400000000cb9e2ecaf9d213b3cdecdc11a6cabfb1708ce7de401e4c3f428917a02bdc61d14ef661bc7b805ca7de8d390a2c8a697e4c6c8020c89bb81025c315e8b5531d1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af3d8f239da1ee4781564250a1f116a900000000020000000000106600000001000020000000e08d1d3efda53ae6479e8e344164efa8abbdf7b073bb2b3794ecfdfa82331103000000000e8000000002000020000000f88aadedc06c9d0a3875c431800c786f743e28342a423c7c63d3be2d86449e1690010000890c2a1dc90c537b64332f97a37bad4d62b5e20e387ff37c8579396249b18d153f7e872734e1dedc516fa353d092f5ec2e9f8a2e5ec55669fd386953a6a71f45474f9a7b6ad867c6027e6b6531c5aa99430532af002629a876fbc276c9d8c8dd5ce527419eabe0a06c77e16691b5c88d6c10b356c7cacbd01c07cd10889be456bedf13e01615edb740f7d38e47102b90b1a3a0e2efad57aeaa2a24ea4eb53e0ba7f6b04d677ed5d69828120067b1df185d15969559857e5435156598b36a25ba2bd0d3e1e021680dadbc7eaedbd7b8d2042f1d7d3140adfd935f52ec150d5f17bfca3a4f262f4e8bddb28db50ac7cc8a4919c2de801fc505d611f54f9816129ab8aadf354e5cd5946849cdb61f7d1988e9736b6ca7834aaa0ca5adcf5cc289bb10de3686d489cb55183b43dd603d5a86ec1a487693169908d779f0d7d73bd67ee10c988abf6458d5efee523844ff97eff3041e2dc45826f83fe32bc14b99485fe73f427314b79bad488688ef38cb31c34b0eb4c7553e0a85ca19b9eeffb02745830b2ee4d100514663ed072fec4582a4400000008709f9125f6143a41d6d6b2dc3cfbb37393ad2e3815a6b2e61bd82fa7cf109b53fa188cf93558f4febfd5132fa49565ab34c459c896b758ff0eb9d77e7feb83e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af3d8f239da1ee4781564250a1f116a900000000020000000000106600000001000020000000e84908de8eb7897d17de152582ba4f21969e6b3e838c3fb4d497dbd1d145e226000000000e8000000002000020000000a928240ac8a74af5ead22761ad2c99dc6ee3d10306744290615a92e600201925200000005022b1df6e371cd2c6c6e3ab9bc9e3b42ede7cf32a9b0bcb8a4d0205da0fad65400000007f2d3e167db920822c20141c105ff7ff200ef534cc1db17f94ad1f6b5132b78dad615820d291f5c5d7ab71840352a7cde3707d00a63aa0d2ec187ee259f2f9fa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B8153E12-02C8-11EE-9F77-6A765FEA1DF2}.dat = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40deb8bed496d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3221195128"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EAD51625-02C7-11EE-9F77-6A765FEA1DF2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\International	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ceffccd496d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af3d8f239da1ee4781564250a1f116a9000000000200000000001066000000010000200000004245a243979c99549ef1d7da64bcbe68e87f2990a58434c76713ace6705f4ee5000000000e8000000002000020000000e5a5e9ceafb651529d0f0bf47416a1eb38e5371d0ba0ce964a86a78c698f22f620000000ca2045d000eeee35a06057f2c3b11e6bb0fa075f83faab2ebed5936a30dad56c400000004216c9d64fff0a594aeed4111e67aee5e98855b757348f67e1b9254bc42933644a937e817b0e8fbc9a3230f7f0d476152d3656a843ca1c0a33a369b38b94c578	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31037140"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06e1bc6d496d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.eaa442	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\2efcf	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\2efcf\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\2efcf\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\2efcf\shell	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\2efcf\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:f6BEJGSd=\"2Wiq\";h83V=new ActiveXObject(\"WScript.Shell\");fgf8s=\"MKLisnG\";Zl7DW=h83V.RegRead(\"HKCU\\\\software\\\\xavtn\\\\luji\");F1BYwZ=\"BruIVv\";eval(Zl7DW);O3IS0vr=\"q7h\";\""	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\.eaa442\ = "2efcf"	regsvr32.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3132	NOTEPAD.EXE
3196	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	iexplore.exe
1220	iexplore.exe
3628	powershell.exe
3628	powershell.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
796	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
796	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1220	iexplore.exe
2272	IEXPLORE.EXE
1456	taskmgr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4992	f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe
4728	regsvr32.exe
2300	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2560	7zG.exe
Token: 35	2560	7zG.exe
Token: SeSecurityPrivilege	2560	7zG.exe
Token: SeSecurityPrivilege	2560	7zG.exe
Token: SeRestorePrivilege	640	7zG.exe
Token: 35	640	7zG.exe
Token: SeSecurityPrivilege	640	7zG.exe
Token: SeSecurityPrivilege	640	7zG.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	908	taskmgr.exe
Token: SeSystemProfilePrivilege	908	taskmgr.exe
Token: SeCreateGlobalPrivilege	908	taskmgr.exe
Token: 33	908	taskmgr.exe
Token: SeIncBasePriorityPrivilege	908	taskmgr.exe
Token: SeRestorePrivilege	524	7zG.exe
Token: 35	524	7zG.exe
Token: SeSecurityPrivilege	524	7zG.exe
Token: SeSecurityPrivilege	524	7zG.exe
Token: SeBackupPrivilege	3236	vssvc.exe
Token: SeRestorePrivilege	3236	vssvc.exe
Token: SeAuditPrivilege	3236	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2600	WMIC.exe
Token: SeSecurityPrivilege	2600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2600	WMIC.exe
Token: SeLoadDriverPrivilege	2600	WMIC.exe
Token: SeSystemProfilePrivilege	2600	WMIC.exe
Token: SeSystemtimePrivilege	2600	WMIC.exe
Token: SeProfSingleProcessPrivilege	2600	WMIC.exe
Token: SeIncBasePriorityPrivilege	2600	WMIC.exe
Token: SeCreatePagefilePrivilege	2600	WMIC.exe
Token: SeBackupPrivilege	2600	WMIC.exe
Token: SeRestorePrivilege	2600	WMIC.exe
Token: SeShutdownPrivilege	2600	WMIC.exe
Token: SeDebugPrivilege	2600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2600	WMIC.exe
Token: SeRemoteShutdownPrivilege	2600	WMIC.exe
Token: SeUndockPrivilege	2600	WMIC.exe
Token: SeManageVolumePrivilege	2600	WMIC.exe
Token: 33	2600	WMIC.exe
Token: 34	2600	WMIC.exe
Token: 35	2600	WMIC.exe
Token: 36	2600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2600	WMIC.exe
Token: SeSecurityPrivilege	2600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2600	WMIC.exe
Token: SeLoadDriverPrivilege	2600	WMIC.exe
Token: SeSystemProfilePrivilege	2600	WMIC.exe
Token: SeSystemtimePrivilege	2600	WMIC.exe
Token: SeProfSingleProcessPrivilege	2600	WMIC.exe
Token: SeIncBasePriorityPrivilege	2600	WMIC.exe
Token: SeCreatePagefilePrivilege	2600	WMIC.exe
Token: SeBackupPrivilege	2600	WMIC.exe
Token: SeRestorePrivilege	2600	WMIC.exe
Token: SeShutdownPrivilege	2600	WMIC.exe
Token: SeDebugPrivilege	2600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2600	WMIC.exe
Token: SeRemoteShutdownPrivilege	2600	WMIC.exe
Token: SeUndockPrivilege	2600	WMIC.exe
Token: SeManageVolumePrivilege	2600	WMIC.exe
Token: 33	2600	WMIC.exe
Token: 34	2600	WMIC.exe
Token: 35	2600	WMIC.exe
Token: 36	2600	WMIC.exe
Token: SeDebugPrivilege	1456	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1220	iexplore.exe
1220	iexplore.exe
2560	7zG.exe
1220	iexplore.exe
640	7zG.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1220	iexplore.exe
1220	iexplore.exe
4592	IEXPLORE.EXE
4592	IEXPLORE.EXE
4592	IEXPLORE.EXE
4592	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 4592	1220	iexplore.exe	84
PID 1220 wrote to memory of 4592	1220	iexplore.exe	84
PID 1220 wrote to memory of 4592	1220	iexplore.exe	84
PID 1220 wrote to memory of 2272	1220	iexplore.exe	90
PID 1220 wrote to memory of 2272	1220	iexplore.exe	90
PID 1220 wrote to memory of 2272	1220	iexplore.exe	90
PID 4748 wrote to memory of 3628	4748	mshta.exe	102
PID 4748 wrote to memory of 3628	4748	mshta.exe	102
PID 4748 wrote to memory of 3628	4748	mshta.exe	102
PID 796 wrote to memory of 4608	796	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe	109
PID 796 wrote to memory of 4608	796	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe	109
PID 4608 wrote to memory of 2600	4608	cmd.exe	111
PID 4608 wrote to memory of 2600	4608	cmd.exe	111
PID 4992 wrote to memory of 4728	4992	f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe	113
PID 4992 wrote to memory of 4728	4992	f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe	113
PID 4992 wrote to memory of 4728	4992	f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe	113
PID 4992 wrote to memory of 4728	4992	f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe	113
PID 4728 wrote to memory of 2300	4728	regsvr32.exe	114
PID 4728 wrote to memory of 2300	4728	regsvr32.exe	114
PID 4728 wrote to memory of 2300	4728	regsvr32.exe	114
PID 4728 wrote to memory of 2300	4728	regsvr32.exe	114
PID 2300 wrote to memory of 3680	2300	regsvr32.exe	115
PID 2300 wrote to memory of 3680	2300	regsvr32.exe	115
PID 2300 wrote to memory of 3680	2300	regsvr32.exe	115
PID 2300 wrote to memory of 3680	2300	regsvr32.exe	115
PID 1220 wrote to memory of 1488	1220	iexplore.exe	116
PID 1220 wrote to memory of 1488	1220	iexplore.exe	116
PID 1220 wrote to memory of 1488	1220	iexplore.exe	116
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 280 wrote to memory of 2328	280	firefox.exe	120
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 2080 wrote to memory of 5108	2080	firefox.exe	125
PID 3816 wrote to memory of 1964	3816	ONENOTE.EXE	132
PID 3816 wrote to memory of 1964	3816	ONENOTE.EXE	132
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134
PID 4188 wrote to memory of 4384	4188	firefox.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://malwaredatabase.byethost13.com/?i=1
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4592
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:17414 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:17470 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:1488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3520

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7683:190:7zEvent25187
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2560

C:\Users\Admin\Downloads\af057b134b3927bf81bbaacf500577cfdacf96a944a8e6cc9355d346ebe54ebe.exe
"C:\Users\Admin\Downloads\af057b134b3927bf81bbaacf500577cfdacf96a944a8e6cc9355d346ebe54ebe.exe"
1⤵
- Executes dropped EXE
PID:3928

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8246:190:7zEvent12206
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:640

C:\Users\Admin\Downloads\f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe
"C:\Users\Admin\Downloads\f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VirtualBox drivers on disk
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe"
      4⤵
      PID:3680

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:ocWWFj4="Zz";nA6=new%20ActiveXObject("WScript.Shell");b3Rxc3hoj="md29";G4UB0x=nA6.RegRead("HKCU\\software\\nU7173yOY\\FuMmsV8x");q7ZkjE="W";eval(G4UB0x);H4cTFZ7="YPug8f";
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:ltdozy
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:908

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce\" -ad -an -ai#7zMap8236:190:7zEvent2121
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Users\Admin\Downloads\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
"C:\Users\Admin\Downloads\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D06468C0-784B-44D3-AEE1-8B78F6221555}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D06468C0-784B-44D3-AEE1-8B78F6221555}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:280
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:4732

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5108

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE"
1⤵
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
  OfficeC2RClient.exe /error PID=3816 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
  2⤵
  - Process spawned unexpected child process
  PID:1964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:4384

C:\Users\Admin\Downloads\af057b134b3927bf81bbaacf500577cfdacf96a944a8e6cc9355d346ebe54ebe.exe
"C:\Users\Admin\Downloads\af057b134b3927bf81bbaacf500577cfdacf96a944a8e6cc9355d346ebe54ebe.exe"
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3196

C:\Users\Admin\Downloads\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe
"C:\Users\Admin\Downloads\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce\26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery

Virtualization/Sandbox Evasion