description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Malware Removal Tool.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	.scr
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

pid	Process
1232	rar.exe
6088	.scr
1488	.scr
2468	.scr
3760	.scr
1968	.scr
960	.scr
1716	.scr
5236	.scr
5412	.scr
4784	.scr
5184	.scr
5996	cmd.exe
4356	Process not Found
3164	WMIC.exe
864	cmd.exe
2612	.scr
5604	.scr
5216	.scr
6112	.scr
2672	.scr
4584	.scr
3760	.scr
2484	.scr
3620	.scr
1380	rar.exe
5544	.scr
3080	.scr

pid	Process
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1116	Malware Removal Tool.exe
1488	.scr
1488	.scr
1488	.scr
1488	.scr
3760	.scr
3760	.scr
1488	.scr
1488	.scr
1488	.scr
3760	.scr
3760	.scr
1488	.scr
1488	.scr
1488	.scr
1488	.scr
1488	.scr
1488	.scr
1488	.scr
1488	.scr
960	.scr
1488	.scr
1488	.scr
960	.scr
3760	.scr
960	.scr
3760	.scr
960	.scr
3760	.scr
3760	.scr
3760	.scr
3760	.scr
3760	.scr
3760	.scr
3760	.scr
5236	.scr
5236	.scr
3760	.scr
5236	.scr
3760	.scr
5236	.scr
4784	.scr
4784	.scr
960	.scr
5996	cmd.exe
5996	cmd.exe
960	.scr
960	.scr

resource	yara_rule
behavioral1/files/0x0006000000022e0f-21.dat	upx
behavioral1/files/0x0006000000022e0f-22.dat	upx
behavioral1/memory/1116-25-0x00007FFA7E700000-0x00007FFA7ECE9000-memory.dmp	upx
behavioral1/files/0x0006000000022e02-27.dat	upx
behavioral1/memory/1116-30-0x00007FFA8EE10000-0x00007FFA8EE33000-memory.dmp	upx
behavioral1/files/0x0006000000022e02-28.dat	upx
behavioral1/files/0x0006000000022e0d-29.dat	upx
behavioral1/files/0x0006000000022e0c-33.dat	upx
behavioral1/memory/1116-48-0x00007FFA97170000-0x00007FFA9717F000-memory.dmp	upx
behavioral1/files/0x0006000000022e09-47.dat	upx
behavioral1/files/0x0006000000022e08-46.dat	upx
behavioral1/files/0x0006000000022e07-45.dat	upx
behavioral1/files/0x0006000000022e06-44.dat	upx
behavioral1/files/0x0006000000022e05-43.dat	upx
behavioral1/files/0x0006000000022e04-42.dat	upx
behavioral1/files/0x0006000000022e03-41.dat	upx
behavioral1/files/0x0006000000022e01-40.dat	upx
behavioral1/files/0x0006000000022e14-39.dat	upx
behavioral1/files/0x0006000000022e13-38.dat	upx
behavioral1/files/0x0006000000022e12-37.dat	upx
behavioral1/files/0x0006000000022e0e-34.dat	upx
behavioral1/files/0x0006000000022e0d-31.dat	upx
behavioral1/files/0x0006000000022e05-53.dat	upx
behavioral1/memory/1116-54-0x00007FFA8E0E0000-0x00007FFA8E10D000-memory.dmp	upx
behavioral1/memory/1116-56-0x00007FFA8E000000-0x00007FFA8E019000-memory.dmp	upx
behavioral1/files/0x0006000000022e08-57.dat	upx
behavioral1/memory/1116-58-0x00007FFA8DFD0000-0x00007FFA8DFF3000-memory.dmp	upx
behavioral1/files/0x0006000000022e01-55.dat	upx
behavioral1/files/0x0006000000022e13-59.dat	upx
behavioral1/memory/1116-60-0x00007FFA7DEC0000-0x00007FFA7E037000-memory.dmp	upx
behavioral1/files/0x0006000000022e07-61.dat	upx
behavioral1/files/0x0006000000022e12-63.dat	upx
behavioral1/memory/1116-64-0x00007FFA8EE00000-0x00007FFA8EE0D000-memory.dmp	upx
behavioral1/files/0x0006000000022e09-65.dat	upx
behavioral1/memory/1116-62-0x00007FFA8DFB0000-0x00007FFA8DFC9000-memory.dmp	upx
behavioral1/files/0x0006000000022e0e-66.dat	upx
behavioral1/memory/1116-68-0x00007FFA8D630000-0x00007FFA8D663000-memory.dmp	upx
behavioral1/memory/1116-69-0x00007FFA7D790000-0x00007FFA7D85D000-memory.dmp	upx
behavioral1/memory/1116-67-0x00007FFA7E700000-0x00007FFA7ECE9000-memory.dmp	upx
behavioral1/files/0x0006000000022e0c-72.dat	upx
behavioral1/memory/1116-73-0x00007FFA7D270000-0x00007FFA7D790000-memory.dmp	upx
behavioral1/memory/1116-71-0x00007FFA8EE10000-0x00007FFA8EE33000-memory.dmp	upx
behavioral1/files/0x0006000000022e0c-70.dat	upx
behavioral1/files/0x0006000000022e04-75.dat	upx
behavioral1/memory/1116-76-0x00007FFA92810000-0x00007FFA92824000-memory.dmp	upx
behavioral1/files/0x0006000000022e06-77.dat	upx
behavioral1/memory/1116-78-0x00007FFA8DFD0000-0x00007FFA8DFF3000-memory.dmp	upx
behavioral1/memory/1116-79-0x00007FFA92800000-0x00007FFA9280D000-memory.dmp	upx
behavioral1/memory/1116-83-0x00007FFA7DEC0000-0x00007FFA7E037000-memory.dmp	upx
behavioral1/files/0x0006000000022e14-82.dat	upx
behavioral1/memory/1116-84-0x00007FFA8DFB0000-0x00007FFA8DFC9000-memory.dmp	upx
behavioral1/memory/1116-85-0x00007FFA7CB90000-0x00007FFA7CCAC000-memory.dmp	upx
behavioral1/memory/1116-158-0x00007FFA8D630000-0x00007FFA8D663000-memory.dmp	upx
behavioral1/memory/1116-159-0x00007FFA7D790000-0x00007FFA7D85D000-memory.dmp	upx
behavioral1/memory/1116-172-0x00007FFA7E700000-0x00007FFA7ECE9000-memory.dmp	upx
behavioral1/memory/1116-173-0x00007FFA8EE10000-0x00007FFA8EE33000-memory.dmp	upx
behavioral1/memory/1116-192-0x00007FFA7D270000-0x00007FFA7D790000-memory.dmp	upx
behavioral1/memory/1116-295-0x00007FFA7E700000-0x00007FFA7ECE9000-memory.dmp	upx
behavioral1/memory/1116-296-0x00007FFA8EE10000-0x00007FFA8EE33000-memory.dmp	upx
behavioral1/memory/1116-301-0x00007FFA7DEC0000-0x00007FFA7E037000-memory.dmp	upx
behavioral1/memory/1116-367-0x00007FFA7E700000-0x00007FFA7ECE9000-memory.dmp	upx
behavioral1/memory/1116-382-0x00007FFA7E700000-0x00007FFA7ECE9000-memory.dmp	upx
behavioral1/memory/1116-383-0x00007FFA8EE10000-0x00007FFA8EE33000-memory.dmp	upx
behavioral1/memory/1116-384-0x00007FFA97170000-0x00007FFA9717F000-memory.dmp	upx

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

pid	Process
748	tasklist.exe
5368	tasklist.exe
1636	tasklist.exe
5724	tasklist.exe
6052	tasklist.exe
5644	tasklist.exe
5628	tasklist.exe
5056	tasklist.exe
4996	tasklist.exe
3592	tasklist.exe
1980	tasklist.exe
6096	tasklist.exe

pid	Process
3000	powershell.exe
3000	powershell.exe
2880	powershell.exe
2880	powershell.exe
4224	powershell.exe
4224	powershell.exe
1408	powershell.exe
1408	powershell.exe
3000	powershell.exe
3000	powershell.exe
4224	powershell.exe
2880	powershell.exe
2880	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
1408	powershell.exe
5496	powershell.exe
5496	powershell.exe
5496	powershell.exe
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
5444	powershell.exe
5444	powershell.exe
5444	powershell.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
5580	taskmgr.exe
2976	powershell.exe
2976	powershell.exe

description	pid	Process
Token: SeDebugPrivilege	748	tasklist.exe
Token: SeDebugPrivilege	5056	tasklist.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4996	tasklist.exe
Token: SeIncreaseQuotaPrivilege	548	WMIC.exe
Token: SeSecurityPrivilege	548	WMIC.exe
Token: SeTakeOwnershipPrivilege	548	WMIC.exe
Token: SeLoadDriverPrivilege	548	WMIC.exe
Token: SeSystemProfilePrivilege	548	WMIC.exe
Token: SeSystemtimePrivilege	548	WMIC.exe
Token: SeProfSingleProcessPrivilege	548	WMIC.exe
Token: SeIncBasePriorityPrivilege	548	WMIC.exe
Token: SeCreatePagefilePrivilege	548	WMIC.exe
Token: SeBackupPrivilege	548	WMIC.exe
Token: SeRestorePrivilege	548	WMIC.exe
Token: SeShutdownPrivilege	548	WMIC.exe
Token: SeDebugPrivilege	548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	548	WMIC.exe
Token: SeRemoteShutdownPrivilege	548	WMIC.exe
Token: SeUndockPrivilege	548	WMIC.exe
Token: SeManageVolumePrivilege	548	WMIC.exe
Token: 33	548	WMIC.exe
Token: 34	548	WMIC.exe
Token: 35	548	WMIC.exe
Token: 36	548	WMIC.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeIncreaseQuotaPrivilege	548	WMIC.exe
Token: SeSecurityPrivilege	548	WMIC.exe
Token: SeTakeOwnershipPrivilege	548	WMIC.exe
Token: SeLoadDriverPrivilege	548	WMIC.exe
Token: SeSystemProfilePrivilege	548	WMIC.exe
Token: SeSystemtimePrivilege	548	WMIC.exe
Token: SeProfSingleProcessPrivilege	548	WMIC.exe
Token: SeIncBasePriorityPrivilege	548	WMIC.exe
Token: SeCreatePagefilePrivilege	548	WMIC.exe
Token: SeBackupPrivilege	548	WMIC.exe
Token: SeRestorePrivilege	548	WMIC.exe
Token: SeShutdownPrivilege	548	WMIC.exe
Token: SeDebugPrivilege	548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	548	WMIC.exe
Token: SeRemoteShutdownPrivilege	548	WMIC.exe
Token: SeUndockPrivilege	548	WMIC.exe
Token: SeManageVolumePrivilege	548	WMIC.exe
Token: 33	548	WMIC.exe
Token: 34	548	WMIC.exe
Token: 35	548	WMIC.exe
Token: 36	548	WMIC.exe
Token: SeDebugPrivilege	3592	tasklist.exe
Token: SeDebugPrivilege	5496	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeIncreaseQuotaPrivilege	6060	WMIC.exe
Token: SeSecurityPrivilege	6060	WMIC.exe
Token: SeTakeOwnershipPrivilege	6060	WMIC.exe
Token: SeLoadDriverPrivilege	6060	WMIC.exe
Token: SeSystemProfilePrivilege	6060	WMIC.exe
Token: SeSystemtimePrivilege	6060	WMIC.exe
Token: SeProfSingleProcessPrivilege	6060	WMIC.exe
Token: SeIncBasePriorityPrivilege	6060	WMIC.exe
Token: SeCreatePagefilePrivilege	6060	WMIC.exe
Token: SeBackupPrivilege	6060	WMIC.exe
Token: SeRestorePrivilege	6060	WMIC.exe

description	pid	Process	procid_target
PID 3608 wrote to memory of 1116	3608	Malware Removal Tool.exe	88
PID 3608 wrote to memory of 1116	3608	Malware Removal Tool.exe	88
PID 1116 wrote to memory of 2996	1116	Malware Removal Tool.exe	93
PID 1116 wrote to memory of 2996	1116	Malware Removal Tool.exe	93
PID 1116 wrote to memory of 2060	1116	Malware Removal Tool.exe	92
PID 1116 wrote to memory of 2060	1116	Malware Removal Tool.exe	92
PID 1116 wrote to memory of 2192	1116	Malware Removal Tool.exe	91
PID 1116 wrote to memory of 2192	1116	Malware Removal Tool.exe	91
PID 1116 wrote to memory of 1728	1116	Malware Removal Tool.exe	90
PID 1116 wrote to memory of 1728	1116	Malware Removal Tool.exe	90
PID 1116 wrote to memory of 3232	1116	Malware Removal Tool.exe	94
PID 1116 wrote to memory of 3232	1116	Malware Removal Tool.exe	94
PID 1116 wrote to memory of 4304	1116	Malware Removal Tool.exe	101
PID 1116 wrote to memory of 4304	1116	Malware Removal Tool.exe	101
PID 1116 wrote to memory of 388	1116	Malware Removal Tool.exe	100
PID 1116 wrote to memory of 388	1116	Malware Removal Tool.exe	100
PID 2996 wrote to memory of 2880	2996	cmd.exe	104
PID 2996 wrote to memory of 2880	2996	cmd.exe	104
PID 388 wrote to memory of 748	388	cmd.exe	105
PID 388 wrote to memory of 748	388	cmd.exe	105
PID 1728 wrote to memory of 2364	1728	cmd.exe	106
PID 1728 wrote to memory of 2364	1728	cmd.exe	106
PID 2060 wrote to memory of 4224	2060	cmd.exe	108
PID 2060 wrote to memory of 4224	2060	cmd.exe	108
PID 3232 wrote to memory of 3000	3232	cmd.exe	107
PID 3232 wrote to memory of 3000	3232	cmd.exe	107
PID 4304 wrote to memory of 5056	4304	cmd.exe	109
PID 4304 wrote to memory of 5056	4304	cmd.exe	109
PID 1116 wrote to memory of 452	1116	Malware Removal Tool.exe	115
PID 1116 wrote to memory of 452	1116	Malware Removal Tool.exe	115
PID 2192 wrote to memory of 1708	2192	cmd.exe	110
PID 2192 wrote to memory of 1708	2192	cmd.exe	110
PID 1116 wrote to memory of 3432	1116	Malware Removal Tool.exe	112
PID 1116 wrote to memory of 3432	1116	Malware Removal Tool.exe	112
PID 1116 wrote to memory of 688	1116	Malware Removal Tool.exe	111
PID 1116 wrote to memory of 688	1116	Malware Removal Tool.exe	111
PID 1116 wrote to memory of 3448	1116	Malware Removal Tool.exe	117
PID 1116 wrote to memory of 3448	1116	Malware Removal Tool.exe	117
PID 1116 wrote to memory of 772	1116	Malware Removal Tool.exe	119
PID 1116 wrote to memory of 772	1116	Malware Removal Tool.exe	119
PID 1116 wrote to memory of 2272	1116	Malware Removal Tool.exe	121
PID 1116 wrote to memory of 2272	1116	Malware Removal Tool.exe	121
PID 1116 wrote to memory of 2208	1116	Malware Removal Tool.exe	125
PID 1116 wrote to memory of 2208	1116	Malware Removal Tool.exe	125
PID 1116 wrote to memory of 4948	1116	Malware Removal Tool.exe	172
PID 1116 wrote to memory of 4948	1116	Malware Removal Tool.exe	172
PID 3432 wrote to memory of 4996	3432	cmd.exe	131
PID 3432 wrote to memory of 4996	3432	cmd.exe	131
PID 452 wrote to memory of 548	452	cmd.exe	130
PID 452 wrote to memory of 548	452	cmd.exe	130
PID 688 wrote to memory of 1408	688	cmd.exe	128
PID 688 wrote to memory of 1408	688	cmd.exe	128
PID 3448 wrote to memory of 4528	3448	cmd.exe	129
PID 3448 wrote to memory of 4528	3448	cmd.exe	129
PID 2208 wrote to memory of 3344	2208	cmd.exe	132
PID 2208 wrote to memory of 3344	2208	cmd.exe	132
PID 772 wrote to memory of 464	772	cmd.exe	134
PID 772 wrote to memory of 464	772	cmd.exe	134
PID 2272 wrote to memory of 3576	2272	cmd.exe	133
PID 2272 wrote to memory of 3576	2272	cmd.exe	133
PID 4948 wrote to memory of 4708	4948	Conhost.exe	135
PID 4948 wrote to memory of 4708	4948	Conhost.exe	135
PID 1116 wrote to memory of 5132	1116	Malware Removal Tool.exe	136
PID 1116 wrote to memory of 5132	1116	Malware Removal Tool.exe	136

pid	Process
116	attrib.exe
2364	attrib.exe
5792	attrib.exe
6088	attrib.exe
2812	attrib.exe
5100	attrib.exe
4884	attrib.exe

flow	ioc
83	ip-api.com
47	ip-api.com

pid	Process
3576	systeminfo.exe
5356	systeminfo.exe
4824	systeminfo.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.