Analysis
-
max time kernel
175s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/12/2023, 21:16
Static task
static1
Behavioral task
behavioral1
Sample
3edbc9c7553dad54925210b7f9ece36c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3edbc9c7553dad54925210b7f9ece36c.exe
Resource
win10v2004-20231215-en
General
-
Target
3edbc9c7553dad54925210b7f9ece36c.exe
-
Size
301KB
-
MD5
3edbc9c7553dad54925210b7f9ece36c
-
SHA1
57014d3163d27b21075c37d993c14a56cf7208da
-
SHA256
596be482747a9c9fe559196b0a389de92eeeea2b305777c2d1800f9c014c22ce
-
SHA512
2944c936c953478fdc496b90428296080f49f91de136b36c88ef95b330ad8300d560291d7d14b98e168b8f589482e6f4cb0ad08102c2f16721d0d54f7c1773b1
-
SSDEEP
6144:jTisyjd2Gdq45dCnn0jiXXg/RHnpVeVs4:/VGYGs45dCnnFXkVeu
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.loqw
-
offline_id
NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw
Signatures
-
Detect ZGRat V1 12 IoCs
resource yara_rule behavioral1/memory/1728-142-0x000000000BCC0000-0x000000000BF70000-memory.dmp family_zgrat_v1 behavioral1/memory/1804-151-0x0000000003950000-0x0000000003E25000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-192-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-193-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-195-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-197-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-199-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-203-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-201-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-205-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-209-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 behavioral1/memory/1728-207-0x000000000BCC0000-0x000000000BF6A000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral1/memory/1372-56-0x0000000003D90000-0x0000000003EAB000-memory.dmp family_djvu behavioral1/memory/2176-58-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2176-61-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2176-62-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2176-121-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2176-169-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1588-190-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1588-191-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1588-272-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2208 created 1216 2208 rh_0.5.2_protected.exe 8 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rh_0.5.2_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4ag006bt.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rh_0.5.2_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4ag006bt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4ag006bt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rh_0.5.2_protected.exe -
Deletes itself 1 IoCs
pid Process 1216 Explorer.EXE -
Executes dropped EXE 14 IoCs
pid Process 660 A361.exe 3028 A361.exe 1372 B711.exe 2176 B711.exe 1728 D380.exe 1804 F830.exe 1352 1929.exe 2208 rh_0.5.2_protected.exe 1960 B711.exe 1588 B711.exe 2680 rE8sk42.exe 300 wQ6ep19.exe 1676 1ps77jW9.exe 1576 4ag006bt.exe -
Loads dropped DLL 19 IoCs
pid Process 660 A361.exe 1372 B711.exe 1804 F830.exe 1804 F830.exe 1804 F830.exe 1804 F830.exe 1804 F830.exe 2176 B711.exe 2176 B711.exe 1960 B711.exe 1352 1929.exe 1352 1929.exe 2680 rE8sk42.exe 2680 rE8sk42.exe 300 wQ6ep19.exe 300 wQ6ep19.exe 1676 1ps77jW9.exe 300 wQ6ep19.exe 1576 4ag006bt.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2284 icacls.exe -
resource yara_rule behavioral1/files/0x0007000000018b32-146.dat themida behavioral1/files/0x0007000000018b32-145.dat themida behavioral1/files/0x0007000000018b32-158.dat themida behavioral1/files/0x0007000000018b32-156.dat themida behavioral1/files/0x0007000000018b32-153.dat themida behavioral1/files/0x0007000000018b32-161.dat themida behavioral1/memory/2208-168-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/memory/2208-172-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/files/0x0007000000018b32-171.dat themida behavioral1/memory/2208-174-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/memory/2208-176-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/memory/2208-179-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/memory/2208-181-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/memory/2208-227-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/memory/2208-244-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/memory/2208-252-0x0000000000380000-0x0000000000855000-memory.dmp themida behavioral1/files/0x000500000001931b-278.dat themida behavioral1/files/0x000500000001931b-284.dat themida behavioral1/files/0x000500000001931b-282.dat themida behavioral1/files/0x000500000001931b-283.dat themida behavioral1/memory/1576-291-0x0000000000260000-0x000000000093A000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1929.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" rE8sk42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" wQ6ep19.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dc6c0350-93c1-4767-9d8c-ffad608b7b28\\B711.exe\" --AutoStart" B711.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rh_0.5.2_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4ag006bt.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 66 api.2ip.ua 34 api.2ip.ua 35 api.2ip.ua -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000018f89-266.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2208 rh_0.5.2_protected.exe 1576 4ag006bt.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2764 set thread context of 2676 2764 3edbc9c7553dad54925210b7f9ece36c.exe 29 PID 660 set thread context of 3028 660 A361.exe 34 PID 1372 set thread context of 2176 1372 B711.exe 36 PID 1960 set thread context of 1588 1960 B711.exe 45 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3edbc9c7553dad54925210b7f9ece36c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A361.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A361.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A361.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3edbc9c7553dad54925210b7f9ece36c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3edbc9c7553dad54925210b7f9ece36c.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40202B41-9EB4-11EE-9F40-4A7F2EE8F0A9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{401B6881-9EB4-11EE-9F40-4A7F2EE8F0A9} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 B711.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 B711.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 B711.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 3edbc9c7553dad54925210b7f9ece36c.exe 2676 3edbc9c7553dad54925210b7f9ece36c.exe 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2676 3edbc9c7553dad54925210b7f9ece36c.exe 3028 A361.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeDebugPrivilege 1728 D380.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 1676 1ps77jW9.exe 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1216 Explorer.EXE 1216 Explorer.EXE 2352 iexplore.exe 3000 iexplore.exe 1016 iexplore.exe 2112 iexplore.exe 1964 iexplore.exe 976 iexplore.exe 1416 iexplore.exe 2536 iexplore.exe 1460 iexplore.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe 1676 1ps77jW9.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 3000 iexplore.exe 3000 iexplore.exe 2112 iexplore.exe 2112 iexplore.exe 1016 iexplore.exe 1016 iexplore.exe 2536 iexplore.exe 2352 iexplore.exe 2536 iexplore.exe 2352 iexplore.exe 1416 iexplore.exe 1416 iexplore.exe 1460 iexplore.exe 1460 iexplore.exe 976 iexplore.exe 976 iexplore.exe 1964 iexplore.exe 1964 iexplore.exe 2140 IEXPLORE.EXE 2140 IEXPLORE.EXE 2460 IEXPLORE.EXE 2460 IEXPLORE.EXE 624 IEXPLORE.EXE 624 IEXPLORE.EXE 1036 IEXPLORE.EXE 1036 IEXPLORE.EXE 1712 IEXPLORE.EXE 1712 IEXPLORE.EXE 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE 2512 IEXPLORE.EXE 2512 IEXPLORE.EXE 980 IEXPLORE.EXE 980 IEXPLORE.EXE 2104 IEXPLORE.EXE 2104 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2676 2764 3edbc9c7553dad54925210b7f9ece36c.exe 29 PID 2764 wrote to memory of 2676 2764 3edbc9c7553dad54925210b7f9ece36c.exe 29 PID 2764 wrote to memory of 2676 2764 3edbc9c7553dad54925210b7f9ece36c.exe 29 PID 2764 wrote to memory of 2676 2764 3edbc9c7553dad54925210b7f9ece36c.exe 29 PID 2764 wrote to memory of 2676 2764 3edbc9c7553dad54925210b7f9ece36c.exe 29 PID 2764 wrote to memory of 2676 2764 3edbc9c7553dad54925210b7f9ece36c.exe 29 PID 2764 wrote to memory of 2676 2764 3edbc9c7553dad54925210b7f9ece36c.exe 29 PID 1216 wrote to memory of 660 1216 Explorer.EXE 30 PID 1216 wrote to memory of 660 1216 Explorer.EXE 30 PID 1216 wrote to memory of 660 1216 Explorer.EXE 30 PID 1216 wrote to memory of 660 1216 Explorer.EXE 30 PID 1216 wrote to memory of 2932 1216 Explorer.EXE 31 PID 1216 wrote to memory of 2932 1216 Explorer.EXE 31 PID 1216 wrote to memory of 2932 1216 Explorer.EXE 31 PID 2932 wrote to memory of 2752 2932 cmd.exe 33 PID 2932 wrote to memory of 2752 2932 cmd.exe 33 PID 2932 wrote to memory of 2752 2932 cmd.exe 33 PID 660 wrote to memory of 3028 660 A361.exe 34 PID 660 wrote to memory of 3028 660 A361.exe 34 PID 660 wrote to memory of 3028 660 A361.exe 34 PID 660 wrote to memory of 3028 660 A361.exe 34 PID 660 wrote to memory of 3028 660 A361.exe 34 PID 660 wrote to memory of 3028 660 A361.exe 34 PID 660 wrote to memory of 3028 660 A361.exe 34 PID 1216 wrote to memory of 1372 1216 Explorer.EXE 35 PID 1216 wrote to memory of 1372 1216 Explorer.EXE 35 PID 1216 wrote to memory of 1372 1216 Explorer.EXE 35 PID 1216 wrote to memory of 1372 1216 Explorer.EXE 35 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 1372 wrote to memory of 2176 1372 B711.exe 36 PID 2176 wrote to memory of 2284 2176 B711.exe 38 PID 2176 wrote to memory of 2284 2176 B711.exe 38 PID 2176 wrote to memory of 2284 2176 B711.exe 38 PID 2176 wrote to memory of 2284 2176 B711.exe 38 PID 1216 wrote to memory of 1728 1216 Explorer.EXE 40 PID 1216 wrote to memory of 1728 1216 Explorer.EXE 40 PID 1216 wrote to memory of 1728 1216 Explorer.EXE 40 PID 1216 wrote to memory of 1728 1216 Explorer.EXE 40 PID 1216 wrote to memory of 1804 1216 Explorer.EXE 41 PID 1216 wrote to memory of 1804 1216 Explorer.EXE 41 PID 1216 wrote to memory of 1804 1216 Explorer.EXE 41 PID 1216 wrote to memory of 1804 1216 Explorer.EXE 41 PID 1216 wrote to memory of 1352 1216 Explorer.EXE 42 PID 1216 wrote to memory of 1352 1216 Explorer.EXE 42 PID 1216 wrote to memory of 1352 1216 Explorer.EXE 42 PID 1216 wrote to memory of 1352 1216 Explorer.EXE 42 PID 1216 wrote to memory of 1352 1216 Explorer.EXE 42 PID 1216 wrote to memory of 1352 1216 Explorer.EXE 42 PID 1216 wrote to memory of 1352 1216 Explorer.EXE 42 PID 1804 wrote to memory of 2208 1804 F830.exe 43 PID 1804 wrote to memory of 2208 1804 F830.exe 43 PID 1804 wrote to memory of 2208 1804 F830.exe 43 PID 1804 wrote to memory of 2208 1804 F830.exe 43 PID 2176 wrote to memory of 1960 2176 B711.exe 44 PID 2176 wrote to memory of 1960 2176 B711.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\3edbc9c7553dad54925210b7f9ece36c.exe"C:\Users\Admin\AppData\Local\Temp\3edbc9c7553dad54925210b7f9ece36c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\3edbc9c7553dad54925210b7f9ece36c.exe"C:\Users\Admin\AppData\Local\Temp\3edbc9c7553dad54925210b7f9ece36c.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2676
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\A361.exeC:\Users\Admin\AppData\Local\Temp\A361.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\A361.exeC:\Users\Admin\AppData\Local\Temp\A361.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3028
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A4B9.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 13⤵PID:2752
-
-
-
C:\Users\Admin\AppData\Local\Temp\B711.exeC:\Users\Admin\AppData\Local\Temp\B711.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\B711.exeC:\Users\Admin\AppData\Local\Temp\B711.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\dc6c0350-93c1-4767-9d8c-ffad608b7b28" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\B711.exe"C:\Users\Admin\AppData\Local\Temp\B711.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\B711.exe"C:\Users\Admin\AppData\Local\Temp\B711.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1588
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D380.exeC:\Users\Admin\AppData\Local\Temp\D380.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\F830.exeC:\Users\Admin\AppData\Local\Temp\F830.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\rh_0.5.2_protected.exe"C:\Users\Admin\AppData\Local\Temp\rh_0.5.2_protected.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2208
-
-
-
C:\Users\Admin\AppData\Local\Temp\1929.exeC:\Users\Admin\AppData\Local\Temp\1929.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE8sk42.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rE8sk42.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wQ6ep19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wQ6ep19.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:300 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ps77jW9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ps77jW9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1676 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:27⤵
- Suspicious use of SetWindowsHookEx
PID:980
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1416 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:275457 /prefetch:27⤵
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:275457 /prefetch:27⤵
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1460 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1460 CREDAT:275457 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2104
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275457 /prefetch:27⤵
- Suspicious use of SetWindowsHookEx
PID:1712
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:27⤵
- Suspicious use of SetWindowsHookEx
PID:1036
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3000 CREDAT:275457 /prefetch:27⤵
- Suspicious use of SetWindowsHookEx
PID:624
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:976 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:976 CREDAT:275457 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2352 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:27⤵
- Suspicious use of SetWindowsHookEx
PID:2140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ag006bt.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ag006bt.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1576
-
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5758d695f3671be5ba5b466887d757d8f
SHA128517c9087fa6bc29c99f12601437c5206c2e103
SHA25698ca7c9d522768905f7218e14e05adcb5482c19ecb0ce9a56d8fce67d457e54a
SHA5127803a6047e149517e8a9ef6da9410c59278171dc07ce68b0421afb7e723421273bd20bee4df1ed092a07bff52476c60b616732fffc2c4011f7e634f952f2bd85
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD50cc127062f69365ecce76336c258fb19
SHA1fe5a8de1d3b53e84cd5f29e183b75eeb044dd9c5
SHA256c911a460b6644e7f658ca9aefc42e71d15ca5fce84219e296ebb312ee327ea7f
SHA512cc1f947cf3e0f059c51074ef73bd5c439cd275fae364251b09b249acabbd5ff1b2ad9e28cfe08c48035e1d56b893ab63fc6e6a06648ad2b60b3119c225f1f46e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58da16b44646f2a714879741d02b440b2
SHA156790344b1b878fcf95743709f630ba3a395cf39
SHA2566c7459db0fc4dcc4fd2e61c5e207848c4bdf2460d65736640125a6dc8cd147dd
SHA512820fb0015ac73452cc78ab0640ae6efb4e4b2ae4615c011d13ca80ee14fe03404fe680f64c0ca59be975a85f653ea16aad913c4497bf4d70f11fefa5b8c77e24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59b47b2af9667851aa3280f65f5293b38
SHA176d39e140c4c5a0d32cd34f9add6e25d313f8f04
SHA256e9ab9e9c873f1f1a8b0376436a59730064cf91f9c78490d1fcba9b86bb23d4df
SHA51274c7cafc8396013599641da6848225e4b829fff224d88e7dc9ab802ef3d15dafb09c063baff080914f9e8f65b810d2990a30efc52c66ec515b463d519a2794ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD55167e3e7e328927bffed72ad7f0f45c9
SHA1483b4ae584fe8807d245273c8b831e7e11acffed
SHA256afe990e3d25313f31c7f0f537d74f065ea6e027e3056d57df62af911dfd79955
SHA51244a1f947d1022a72084b812d2aabcc337737dcc4ca06855b90c8f360b78895496482d400a73d3e1cec98066420bce47bf7bd087d7107f3d8c4cbe4bac2b7ce52
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{40085D81-9EB4-11EE-9F40-4A7F2EE8F0A9}.dat
Filesize3KB
MD59a6cf4e4b46f9422d903bfab3cd599dc
SHA1f6cc7e8fc8872bb0803c9b4f36c61e96706b29ae
SHA256444f9e316085f643885472454760febd8e15346405e2166f6bc6cd58c8d61ccd
SHA5122ebc22fa7991798398cf84e0ee43c9b85016119dfcfc5a9a3e3c1bb99449935df75190268c6e97a55048a04ccf229f6824fa4b73d9b1285bf5a664e4f8aa2bc1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{40190721-9EB4-11EE-9F40-4A7F2EE8F0A9}.dat
Filesize3KB
MD5b52b2ae498e255bbfbae5b6fc0a63b83
SHA108bd16d189e5f051142032c808bdea53585c8af2
SHA2561d9c1834eb4351db4e6b3f73278e2c6c6796fb6100519d3c6144172c6f5f13c7
SHA51213a7c848dd7a4262e3008681ab40aca9439c1825a2c1a90f9de17282a44b7716421b362259dbf3385ce968616c3c8ced1a0cd3164e2dbcd182267c154ebaf85f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{40202B41-9EB4-11EE-9F40-4A7F2EE8F0A9}.dat
Filesize3KB
MD509e471076be32f57083fe389bdd9ddd2
SHA11ada6643cdb3894962d23e292762d06ff24a8105
SHA256e3ba43e9ec43ceb5ee7a59fe99748afad7c60b642ad1b335ecf008b2daa19121
SHA51237f396d65d92f7e668ab51522b5ee1d504134fb4faa7c229ff12009ada38e338a241764a9498f4932c9004e66d6803a3b3574e52df4258d189835bcffa90f6b2
-
Filesize
6.1MB
MD5b34e39260bf9831bb6d6c2ec706be526
SHA17abf35d9cf5fbbf4110c728075613ded52be5b7b
SHA25614117f0d3fc38ba20488a7e14eb1bdcc70f159a6479e0e0962c9c053d48a64af
SHA512ab115c2290d0092e7583851526e5b1a31d0bae11b903b04b5cb4aed5ea8d9c1f8278f959dc74b56bb8ca239d196093817dc28a3d9b8366f45e341508abea87f7
-
Filesize
301KB
MD53edbc9c7553dad54925210b7f9ece36c
SHA157014d3163d27b21075c37d993c14a56cf7208da
SHA256596be482747a9c9fe559196b0a389de92eeeea2b305777c2d1800f9c014c22ce
SHA5122944c936c953478fdc496b90428296080f49f91de136b36c88ef95b330ad8300d560291d7d14b98e168b8f589482e6f4cb0ad08102c2f16721d0d54f7c1773b1
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
810KB
MD5c108826f0555d4e9d6f1fcd7f0b872cd
SHA13f25f209b69a8b95c03292c165e97ca6ed38a102
SHA256b590920e6bd30cbbc602a47a86db121a1d781c98943c8d2e968fa3ad7cfc7cd9
SHA512e9c9944866e878955e69c9520812f3a6cef0f355081c425086be5ae81c9ead9b1847ab9088a30c86ccaea3c704f1e961b05279c9ce29f44d4d5d5ab25979f04f
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
2.7MB
MD5b354abdb8c17beeae07b9418535f4bdc
SHA1cb4fb26e9c00426cf3d1c70f99e72fd36d6c22b9
SHA256f688fb7b4cf19a4760138e7625915815f4acc23732456a3540f76f39aed90417
SHA51221a37e78fff981ba88cab5e92b5c61216af93fc8a44bffdc33a3fcb16875d271790d18d6a0247367594965bae0ee0ee8e56994f02db0df5dbd5179a8dd0d613f
-
Filesize
3.0MB
MD57ae57d431c973badf01781a52ba67b71
SHA1563a6c779ba86f418e733cbc78dff289c80358cb
SHA256af9280302539d3e3ad1c47c8462ea2eb0b3f425aec343468fbdb31f5050288f0
SHA512fca10fd9d41ec3bb02e65405f07926c7f7d7a95b03f2d260159375c09c2bbe8681581d37d8b916e3138a9b3310a10ec8c4836ae0758dbe7243fe5ff7ba863c36
-
Filesize
69KB
MD5cc6884960c7798dcb7fdd3f27c44b06b
SHA1a5f7a5779dc26b0a1ac6464c6d672064c787f2be
SHA256978be8928b36275a18968cdfeb213ac9001b93eac98e6bcdd39e7ea067d6d06a
SHA51201bd8b6fd91b4434d23471ef73186c54bddd0fd46e2e0cab2f05b099f3a45b0637c6e8338fa383a5584515929391a8d5a59c1cc831ed352853361c571df3fee8
-
Filesize
85KB
MD5420ff5473d0a5940884cda149036fa19
SHA12571ac8d558a57342538eacdf1e30bbdf8578e97
SHA25653550c1321c519c27feea56962a368de068105379f751fd4c2eb3638585f0bdf
SHA512d7bf6a7a31b4879151c9c8bc4c4338130c07707a6e0c7fd48129df01e31fedf4f5c94ed973a37074f0d3a1b99eae2e71e250f1fd60642c56552614f946a75674
-
Filesize
3.1MB
MD5e6ea4364dd13e2ee9ae07189dd620edf
SHA103243cd4f06a90f445ed12c91d0f8c8bd940cfa0
SHA2564a6ee1aa2e2826c21983ab6a262764eff302d0febf9625083d3a39bb00a6f5ae
SHA5122f554eb383979e87228b6120463c40ef95ef6e1c947440d6ee83a68d49df58573fcc129421ea1c869ba4819cefe32bf314e558c07f716397471ed3cda9a9fe92
-
Filesize
2.4MB
MD5d3deb938baffbbf5ee20b1b957f79343
SHA12d9ec27a2fbc2f00dd5cb3b35fa94c1e0dcbe4c7
SHA25660e4c49cdff16c189d0b10875fa68e7e221df57decff4a25ae44b9ad446a23fb
SHA512dd4effa91c3e5ffe7f3cf9a30ada6e6fe9008c308c70d423a53948a7a575ed1503e887c14778329c6d85683d725b0a3f6249b3f2a95559dabc3fbb8bf1cdf0c7
-
Filesize
776KB
MD59594521ff21c470fcfa7680df2cb8ba6
SHA1d5278cb2a7afd5173a1837e2dd2652665dd303ad
SHA256d75bfa1bcc4bb49296078922bcec5d55b05f879ce35f3601552138898d3b6d29
SHA5122f37cf1d6ec346872a10643f1432ffdc8dd175e7568e2d6143462c23cc51c8707b0109f8fd34f95b29bbff5debd08a34cd89b238214ac79cac0614b344ba75f8
-
Filesize
812KB
MD516f2356e0ef3f8ff9635e97e0046c363
SHA1230839911d559a36134440bb07ca5a9829239f58
SHA2568f962852216d226e357342c9f824c0eb872718eeddf29cedeadb84d67e5d0a74
SHA51227781adc27f9a10953e1c8fd636c408e38f6fb5f3dff59b27243835f4188e14761c4ad6894ef90658b49f59c3bc34fe22319c5c9602c899b9f5cc7ecbfa6d8f3
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
4.4MB
MD5702ec89e4c6f4ad903e93b1199a78d4a
SHA1e861b4e28f77877da1eff32275ab0ec072b26a35
SHA2561f09fd95763fc06791294627004ce026bd2c258d2d3fd6cc30a2232d0d87b28b
SHA512e0525b200a31c056660c58a9448e5131edcda603868b74dc21cb06a4a6fb779fae76db315271a5331cbe2baec90d4696c031e5634b9622b3e4e117eb969de9d3
-
Filesize
1.1MB
MD5b0a010e405ce0e93289256afa0b91dd6
SHA1d245f38df6761bd12a63938169d6a58d95274e74
SHA256048af33fae8204cbb89d67fe2f83dd7b2859192183ba83f20e78ffdd2539c8a2
SHA512b86babfb05c6fa4d449d7f743c69766d3ddeb0bedf2590880641fe0c35c3f0dcb78e8ab0936c0b88711d01fe4d577279205fd8269c4637bd0c0181afea307cdf
-
Filesize
2.4MB
MD59df927aaeae381e54a18433dd05d8372
SHA168c6341a70d5b0e43407c9af2594baaeff0798c6
SHA2563c9b7351f67e1fa1d6ab991e469fc6cefa4d75bfb222266a3d7b9c1018ebc5d2
SHA5121b838a7c4ebd4c6f391fca9898f9a95a6638be69e39848e77ba6c0c77973016916d2d291aa2ebcbb694308975b703f7747589da68741418a42f76e89ca2b26b0
-
Filesize
1.7MB
MD51328096354e029d9b9255a0797a47376
SHA1332889741eb42704a79339b985e9b00199a0ebdb
SHA25618e8c58086c1c8d4e8eef250ffa2234d525f8ef908e321f7cc840eb446034d86
SHA5125ce3a7895034985b440efb17b6f7dbff3c12a242b0faca0ab9677d45aba75a2d91956618afaf4d0b196f9e1203194cecda06a873b57955610bbf4a0c39e81dd1
-
Filesize
126KB
MD52bf5c96a70de5b6464d277e042768fa2
SHA1a232ca7e70bdeeac337e71cf01b68cc2f79c0149
SHA25626253fc0035788f8957b8e95411963fab8cd7019544efc9a666d912c375a5edd
SHA5128409efbbcf9f5a469e724a5c418b80bd6223edd7ca9fd121725aaa3d970ad96720e6bc681472491979e0dd1c216b4b10569a547b659c01804c21b5a23f7704bb
-
Filesize
58KB
MD5a59502c6110b4545e9a57ebc206c1f99
SHA12b6c593fd8518601ef5d471e77496934506ab0b7
SHA256c7798eaaba4a4f3b185b0f22713b548f1b9f507e4dc7c015771f9565689a9474
SHA512ee5089045f32a44e71f22be9bf6048e2fab9b1355ad250f0baff32aa6a99b22feded3174ee1b55eaf66a67ff7030b726b9623ca9d7e0463d138a6557f48c0706
-
Filesize
1.9MB
MD531fe7dae23b4781a72c765e08072173b
SHA18750af034f2dba506ba28d62d03c8b480cc7ecae
SHA256ef1ac49f6a68bd1de1a9c6e5a40824e996f0dd9eebed13c0e858aee1217139a4
SHA512308c753bd86f1d6209169e9a05e3bdbf76eb537e5d302ff96085a47118949443009de04b18595e2c03d320b34fb7820aadfe68a1caa217b55b64a47d50c3cabf
-
Filesize
1.8MB
MD507850dbf9f66dcd96db77201dfc9fc56
SHA1dff07792c87ed8f13af454535e1d76e6bd5ad038
SHA25669307b4cf83c1f8c51d138a49da95bcdaa507e356e2aaeb5d86ef2a4a7eb75f1
SHA5126f63f7673529029569530d2e5e305f9dfa5a82d00b11d55366e9cb7356dba56a04682c5dace5f2dd84a5ca7f3ab940e4b0e2d66700de70e2b074220f07200f86
-
Filesize
895KB
MD56f1fd476b51bcaa19649bab45516f4cc
SHA1ccd01743500f4b7123b53bc3388a115c8779cf54
SHA2561f67f821771faa3eef6f385744ae91dff0baebecdc7cfae49cbe1130658e9967
SHA5125ec2a3958b57e59310cfe026b16a23e498d1f8062dd8427cc912a07e7c7f50aec20aaeb65066221e7af7c84ddbe0250ebd603543de7b68f5a6a13f74e6397048
-
Filesize
666KB
MD5e8262f0081cc375fd91212cac8978dab
SHA1d76a39707c7d76b69ff39024fe5a1385d3dc6a5b
SHA256602841eed2eb6774ae7b0762a3808aaddb285b127c77731c09063f1d7d1f0d2e
SHA512b37e009eb2df53044fc174767a73b6922fffba1b9dd6f44d978b687d7b9b87eb682b3ffe7c33b88179b0c9d5d5d8f6f476cf165dafb2d19db0786c1f30d6fdd8
-
Filesize
4.6MB
MD5fee6bb5564f5caf8a39e32cbd187df1b
SHA1c50249db8ae7364548e48816209900a0bb74369c
SHA25684e5b6f7d387d945c776146310e49e017d1ab80e53d772a333e563238f74ed6d
SHA512b9fa1b711593428a4432a18b62652f4b50e585add1e27eb2315864431776f1eeeb7e8d4e3b0b14f44cf14976b037d772a95f6f8a037f1d27ec9fcc668222cd57
-
Filesize
3.8MB
MD585ad4cd85cb2fb4ae8aad2c10f9c25ee
SHA11e4a91008d9d7206f98e7d217a9a0a74a5a65394
SHA256a7cc377c8bda76d7aea018b2b2561cc69fbe0ea84b2b470d3bae0f0ae0d8e712
SHA51234397f8343387457e32a4bda09f0917637175e532f045080af00fb36fd875af7a9a04438de48cd8e419e7f7eaf0fcb57b63570dd8d67318aed7454829c693875
-
Filesize
2.0MB
MD5a942870d362399ce1992d0f9468283ad
SHA11f42ab239d6b57fb2b80353cd0a68fda53f5a2f6
SHA25679b99502ded40a6d4cab429a938a44b8573c19e26be5fcd40edf83b0fa22e9c5
SHA51287fdeca7a48fb83466e5cdc43279a1bb321e645280b68e67930cf17930d49d67e465bf872ae7ecb8a280f10763b5a70c8820ca0924bf9c73250f8a022b3d81e2
-
Filesize
1.8MB
MD59801da34a87272d56488be1b3378e450
SHA1c0a60a73ae52b78ad8c20ffc4e3a80a8915b5c6a
SHA2562a62a6f90d8062fc54648f0efc524446109038ad10226a9b0aff6cef23ea3798
SHA512e5aed9625efef57535c56cdb71341f012b904415772a564d9c155d1b1cbd82bd026aa4c4318ee1ae075af8f73f0ea37234aaafb2336bbf3b0846e97d7d391762