Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/InternetSecurityGuard.exe
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
SSDEEP
98304:hvOOFJ+Z8eAgy7SH9s76RSvyqJOBgECfMfYv+85JH0DVczt8A:hvOOFJ+ggr9s76R+wcMAv+IHCczt8
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" InternetSecurityGuard.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest InternetSecurityGuard.exe -
Blocks application from running via registry modification 18 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" InternetSecurityGuard.exe -
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts InternetSecurityGuard.exe File opened for modification C:\Windows\system32\drivers\etc\hosts InternetSecurityGuard.exe File opened for modification C:\Windows\System32\drivers\etc\hosts InternetSecurityGuard.exe File created C:\Windows\system32\drivers\etc\host_new InternetSecurityGuard.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\support.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\teekids.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLT.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFSrv.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jdbgmrg.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmain.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpconfg.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan40.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\istsvc.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htpatch.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp95.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procdump.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnpc3000.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUNMain.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iedriver.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ray.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootconf.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebProxy.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxav.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe -
Loads dropped DLL 4 IoCs
pid Process 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 36 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\950a2\\ISd8b.exe\" /s /d" InternetSecurityGuard.exe Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce InternetSecurityGuard.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ InternetSecurityGuard.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" InternetSecurityGuard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InternetSecurityGuard.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: InternetSecurityGuard.exe File opened (read-only) \??\H: InternetSecurityGuard.exe File opened (read-only) \??\X: InternetSecurityGuard.exe File opened (read-only) \??\W: InternetSecurityGuard.exe File opened (read-only) \??\Z: InternetSecurityGuard.exe File opened (read-only) \??\J: InternetSecurityGuard.exe File opened (read-only) \??\K: InternetSecurityGuard.exe File opened (read-only) \??\L: InternetSecurityGuard.exe File opened (read-only) \??\Q: InternetSecurityGuard.exe File opened (read-only) \??\S: InternetSecurityGuard.exe File opened (read-only) \??\U: InternetSecurityGuard.exe File opened (read-only) \??\G: InternetSecurityGuard.exe File opened (read-only) \??\M: InternetSecurityGuard.exe File opened (read-only) \??\N: InternetSecurityGuard.exe File opened (read-only) \??\R: InternetSecurityGuard.exe File opened (read-only) \??\T: InternetSecurityGuard.exe File opened (read-only) \??\V: InternetSecurityGuard.exe File opened (read-only) \??\Y: InternetSecurityGuard.exe File opened (read-only) \??\I: InternetSecurityGuard.exe File opened (read-only) \??\O: InternetSecurityGuard.exe File opened (read-only) \??\P: InternetSecurityGuard.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 InternetSecurityGuard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IIL = "0" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ltHI = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ltTST = "15831" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe -
Modifies registry class 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAKEAV~1\\INTERN~1.EXE" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\ = "Implements DocHostUIHandler" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "InternetSecurityGuard.DocHostUIHandler" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software InternetSecurityGuard.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 1216 mofcomp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2528 InternetSecurityGuard.exe 2528 InternetSecurityGuard.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1216 2528 InternetSecurityGuard.exe 28 PID 2528 wrote to memory of 1216 2528 InternetSecurityGuard.exe 28 PID 2528 wrote to memory of 1216 2528 InternetSecurityGuard.exe 28 PID 2528 wrote to memory of 1216 2528 InternetSecurityGuard.exe 28 PID 2528 wrote to memory of 900 2528 InternetSecurityGuard.exe 29 PID 2528 wrote to memory of 900 2528 InternetSecurityGuard.exe 29 PID 2528 wrote to memory of 900 2528 InternetSecurityGuard.exe 29 PID 2528 wrote to memory of 900 2528 InternetSecurityGuard.exe 29 PID 2528 wrote to memory of 2656 2528 InternetSecurityGuard.exe 32 PID 2528 wrote to memory of 2656 2528 InternetSecurityGuard.exe 32 PID 2528 wrote to memory of 2656 2528 InternetSecurityGuard.exe 32 PID 2528 wrote to memory of 2656 2528 InternetSecurityGuard.exe 32 PID 2528 wrote to memory of 840 2528 InternetSecurityGuard.exe 35 PID 2528 wrote to memory of 840 2528 InternetSecurityGuard.exe 35 PID 2528 wrote to memory of 840 2528 InternetSecurityGuard.exe 35 PID 2528 wrote to memory of 840 2528 InternetSecurityGuard.exe 35 PID 2528 wrote to memory of 2032 2528 InternetSecurityGuard.exe 37 PID 2528 wrote to memory of 2032 2528 InternetSecurityGuard.exe 37 PID 2528 wrote to memory of 2032 2528 InternetSecurityGuard.exe 37 PID 2528 wrote to memory of 2032 2528 InternetSecurityGuard.exe 37 PID 2528 wrote to memory of 2536 2528 InternetSecurityGuard.exe 39 PID 2528 wrote to memory of 2536 2528 InternetSecurityGuard.exe 39 PID 2528 wrote to memory of 2536 2528 InternetSecurityGuard.exe 39 PID 2528 wrote to memory of 2536 2528 InternetSecurityGuard.exe 39 PID 2528 wrote to memory of 2904 2528 InternetSecurityGuard.exe 41 PID 2528 wrote to memory of 2904 2528 InternetSecurityGuard.exe 41 PID 2528 wrote to memory of 2904 2528 InternetSecurityGuard.exe 41 PID 2528 wrote to memory of 2904 2528 InternetSecurityGuard.exe 41 PID 2528 wrote to memory of 3000 2528 InternetSecurityGuard.exe 43 PID 2528 wrote to memory of 3000 2528 InternetSecurityGuard.exe 43 PID 2528 wrote to memory of 3000 2528 InternetSecurityGuard.exe 43 PID 2528 wrote to memory of 3000 2528 InternetSecurityGuard.exe 43 PID 2528 wrote to memory of 1032 2528 InternetSecurityGuard.exe 45 PID 2528 wrote to memory of 1032 2528 InternetSecurityGuard.exe 45 PID 2528 wrote to memory of 1032 2528 InternetSecurityGuard.exe 45 PID 2528 wrote to memory of 1032 2528 InternetSecurityGuard.exe 45 PID 2528 wrote to memory of 2508 2528 InternetSecurityGuard.exe 47 PID 2528 wrote to memory of 2508 2528 InternetSecurityGuard.exe 47 PID 2528 wrote to memory of 2508 2528 InternetSecurityGuard.exe 47 PID 2528 wrote to memory of 2508 2528 InternetSecurityGuard.exe 47 PID 2528 wrote to memory of 2688 2528 InternetSecurityGuard.exe 49 PID 2528 wrote to memory of 2688 2528 InternetSecurityGuard.exe 49 PID 2528 wrote to memory of 2688 2528 InternetSecurityGuard.exe 49 PID 2528 wrote to memory of 2688 2528 InternetSecurityGuard.exe 49 PID 2528 wrote to memory of 1204 2528 InternetSecurityGuard.exe 51 PID 2528 wrote to memory of 1204 2528 InternetSecurityGuard.exe 51 PID 2528 wrote to memory of 1204 2528 InternetSecurityGuard.exe 51 PID 2528 wrote to memory of 1204 2528 InternetSecurityGuard.exe 51 PID 2528 wrote to memory of 1532 2528 InternetSecurityGuard.exe 53 PID 2528 wrote to memory of 1532 2528 InternetSecurityGuard.exe 53 PID 2528 wrote to memory of 1532 2528 InternetSecurityGuard.exe 53 PID 2528 wrote to memory of 1532 2528 InternetSecurityGuard.exe 53 PID 2528 wrote to memory of 3052 2528 InternetSecurityGuard.exe 55 PID 2528 wrote to memory of 3052 2528 InternetSecurityGuard.exe 55 PID 2528 wrote to memory of 3052 2528 InternetSecurityGuard.exe 55 PID 2528 wrote to memory of 3052 2528 InternetSecurityGuard.exe 55 PID 2528 wrote to memory of 2808 2528 InternetSecurityGuard.exe 57 PID 2528 wrote to memory of 2808 2528 InternetSecurityGuard.exe 57 PID 2528 wrote to memory of 2808 2528 InternetSecurityGuard.exe 57 PID 2528 wrote to memory of 2808 2528 InternetSecurityGuard.exe 57 PID 2528 wrote to memory of 988 2528 InternetSecurityGuard.exe 59 PID 2528 wrote to memory of 988 2528 InternetSecurityGuard.exe 59 PID 2528 wrote to memory of 988 2528 InternetSecurityGuard.exe 59 PID 2528 wrote to memory of 988 2528 InternetSecurityGuard.exe 59 -
System policy modification 1 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" InternetSecurityGuard.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" InternetSecurityGuard.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"1⤵
- UAC bypass
- Enumerates VirtualBox registry keys
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2528 -
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\Fake AV\6268.mof"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe" "Internet Security Guard" ENABLE2⤵PID:900
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.com 8.8.8.82⤵PID:2656
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.net 8.8.8.82⤵PID:840
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.com 208.67.222.2222⤵PID:2032
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.net 208.67.222.2222⤵PID:2536
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.com 8.8.4.42⤵PID:2904
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.net 8.8.4.42⤵PID:3000
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.com 208.67.220.2202⤵PID:1032
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.net 208.67.220.2202⤵PID:2508
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.com 8.8.8.82⤵PID:2688
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.net 8.8.8.82⤵PID:1204
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.com 208.67.222.2222⤵PID:1532
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.net 208.67.222.2222⤵PID:3052
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.com 8.8.4.42⤵PID:2808
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.net 8.8.4.42⤵PID:988
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.com 208.67.220.2202⤵PID:1152
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.net 208.67.220.2202⤵PID:1228
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.com 8.8.8.82⤵PID:2428
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.net 8.8.8.82⤵PID:2168
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.com 208.67.222.2222⤵PID:1944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.net 208.67.222.2222⤵PID:904
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.com 8.8.4.42⤵PID:2136
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.net 8.8.4.42⤵PID:2404
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.com 208.67.220.2202⤵PID:1896
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.net 208.67.220.2202⤵PID:1200
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
196B
MD56e86650ad96258b23f022605c5f202d5
SHA1321290e91871cb653441e3c87ee8b20ab5f008a0
SHA2568c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223
SHA512e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c
-
Filesize
379B
MD5d944553892495d3c37a6ac27016adbe4
SHA1a7f277103566e68ae636a74f43d298f33bf05afe
SHA2562e9257a23eb2a9573daabc180362244f10d0fd71801949c6415155681bad1054
SHA5122876bcda9af7f99c17295d31e018cbef8e7388a732bde8f4f14443f00e4c0a46f8e7bc970429cd20f28324711f154eb46c1e0c969f1e21bf2fb9aea32568b344
-
Filesize
966B
MD51d7e870b93dbcde018a65e0847994515
SHA173d94152ebe31691026195aa380fff5d26956665
SHA256bd7a4a379cf704aae3bd94f3106339b06340ee5105d01b82439ecf2af49cbf83
SHA512e6d0e99ffa92864a570d48a459c2dd90b8c1d261f55a1a9bda15ec0efc2c9d22a3ef8d6f603713daa51433711bf97fe6375f9e169f39533d0bd32a001681beae
-
Filesize
1KB
MD5f6b24a890b206418b0e05f5a4888ea6f
SHA17aaacc6c7bcb1d6ffd440434db2f134f0ac25085
SHA2562378c709a4d7a83bc3a13c580423ef04cd5c3e661d19012b146e234a845317fd
SHA5127a3d7e375938eb83607893f97af23f056c519b72340f3efbe283750c0d5a6fa70cd457b3da2d54658f8799c2a00dc32afd947c0dd72cd29c11633eebc9b0752a
-
Filesize
1KB
MD5c6d4cf90d76826212a57b93f53f0565f
SHA1c554a9cebe37de9831074ababd56d252652572d2
SHA25649b4e777bef21024629618bb113a3961430946e89e93db710e27e2420136b69a
SHA51281aa85b750fa1bd625207fe98155b2b5cf0957d3394782f236cf51fe1c6cc69e196cb58e0b03fb13882dc603453dabc1cd48e990fff168f7732b11a645159886
-
Filesize
1KB
MD5e47adef3332aa1283a55584b2a9c90cf
SHA1cf8efabf8e479fdbbb971e4c36fa07016bf68218
SHA256d4c148fc0d6fdcdc0506257e2e6fd4a25fe94693cb39d82bcfbbbb01637a8c27
SHA512324c0122162f5ffc2077bd2e5cfab514338e308553db12072b48a4e6ce437603b0b7e7623d73f57f3c8855ad22797cd41585b41c90a3cd54268296252dc9bf6a
-
Filesize
2KB
MD5a9f9d936c27f0b5b4c3e5ddbf07e1358
SHA1e51da0e07b175563929045fbe07ae462e6d4cf49
SHA256d68b2ca47a5c8fc9ccfa7e242f3bfd2e3ecb08fe732b37d73d3f87217e227b85
SHA512f775c016fea0f99fe70fecaed4ebeacf9e82da66d606c3acdfc71c5c723c7d72f186ce4fa3afd1615d1da5cc22d1f35c95a5b4186d215844cd4d0e792400fdc4
-
Filesize
2KB
MD5c0210a2defb97ac1890800ab4b5af52b
SHA14067d186fa46058c5fa169f536a0e83666bd07c1
SHA2566f9baabbc7d1ef90d8c1128b3097d6e7ad72295e8d263e68f9be5fb90fe6ba93
SHA5121eda226b115fdee2af936cc0d7aa212f932aca69d7c85488f820d097399d765330bee7b9d4be43e83a609078d9b33d2ffcad969dccdf90c06fabd2918773170f
-
Filesize
3KB
MD513135dc1279964a6aa92b46ab82d6279
SHA1bd2936bbdd4118f8a3f48b8832603add454188ff
SHA2561dc7e8e69aa900b0ba178b3ed723b0aed4251a17ea340b387289134b04059a99
SHA512ad42cf2a927be5a0b0019b6549c2ac13ed70f2dfddb9eb43c6178eacd58456da50c3a438bfadcb2453bbf4295b8af5e6bdc83b00772c6cf973132a2d8b1a1142
-
Filesize
3KB
MD58ef69bb48614c47d4db2c50d9cb110e9
SHA18517ede42a51a85e007ad6a8b7a5f31cb052a3a4
SHA2567fdbfb196a9a2a459dac40cfd64579023b6dd73f459a21f0cb9f6f31ef3e1acd
SHA512c0bc99c3d63d1078a1565fc4537a21d7f5192d15bffbfd24791c639a172cf21a437ba8a94af0b73205b9161da17d9a0705ee356e36051c9e1b33d95770b140ac
-
Filesize
3KB
MD53c289ac5a115ba9586bf10dc16bd0980
SHA194a5265ac997743d9be1151a570556647b69d42a
SHA2565355fb173e76a2daa5fdcf282da294327a43b21437fc29d9fbdfcd82161dd9f5
SHA51218586d69f547aedb6e8748c0f19ad5ffa6f7331fd22f3d910faef1438cbdcd969425eabf33f4f76e2635868dff8c51de64731de2e93497c1a3564fb9559d4162
-
Filesize
4KB
MD53ad3f24bc189a45079baff6571151fe7
SHA1b6bc2e3762188d61fa14c59b610c91590900017f
SHA2565c6a09e9c9bceac624b6c93d9cd50ec9c3b38420c537bddd4f26dfbea9a008a5
SHA5128e81575e16453ef7310a597b045fb0d21997ce52c0557c9b0465571807e2316b6ef822b080b7254cbdcf75a741745d4257159974b449dd2cd9925a1f15bd0d16
-
Filesize
5KB
MD59b64af85665c3a3e8ab5c06b9d303913
SHA12ca045532485cd3581e0fca97687198f0c1bdd96
SHA256f6fcd9c5ce5bc10d09975733d5a4880d4ec455d81f420c0dd4ee4a36b7010f5f
SHA512df2fe4591bc04de3807874df806fc5376a955599512964143879d305f4ddbaab7980496c002fd5354e8c4c12651b514cb4bc67fb2f607541ff60c49abc721d28
-
Filesize
5KB
MD52ad1ec31c50312fbbc0dd3e2910c7de2
SHA121f54bd4ceff1d048e68602663b846f1f6a48934
SHA2566116afa74c49f0c797242bf7e9900f465518792fe86d2e678f2cf778166a0932
SHA5127c3004edcdc8c00ff1fb6c670fcfdecd145fc138978d934daf44ef1a8d50e179ef115735216383008e0d862eb6d3c74b1428b33245fd5bf86abec43b2d4bd311
-
Filesize
7KB
MD5bc8c2d6f97728c77a8c825178eeb445e
SHA12ddb97581fe738ba490be337b82d70a192dd9630
SHA2565b22b82bf996cafba4ad5dd915b426f4f32c510bfe3b3136974b1e105941e8a3
SHA512be836def9e8110c53513371a9ed44c67144bd00e428c7b430fbab68e31174d9a3524740538881d647475f582748d12793a688989c01c7c25861175974e759a21
-
Filesize
7KB
MD5db196ee1844f3950008bb86ec82acdb1
SHA1930ba07fa559690ee5d2ce91b8a5d20b05d6bec2
SHA2564e3b310576a8fa413f83e7068dfaacd1a82c9e720a5ccb143b758b827d0b996c
SHA5127e19e93e059488c8863dcb7ea45a7a4278c289226d6c5ec2fa845b8174e2844bcb36926bdda6a04bf8411d2f7f0daef349a581ec47a78ab0c725daea1b400790
-
Filesize
9KB
MD52773e4086a9c57488c5992de32152777
SHA156f42e7beb28ca2a4625c2b2467fc187c5ff6958
SHA25629c507e0d5eec9b50ce4a296ba88bc878603a432aeb6a4334f8013a1b1310510
SHA512bdfd3ae11e184023a7206a8e79eb2db0cf0eb01f18464d94aa97d58152128974f686af05031afb4d9b58a9f9ad0c8a0a0dab4ae54ee8f274f3b1c6366f09b256
-
Filesize
10KB
MD577d2ba61309fa75c6b8849927a07e80b
SHA1a434e07347c11a6cac5818cbba8a744360ac90aa
SHA2566a1aad4377df69a7311e45541f6cbec2e42177c37c7d1ff2a8340554673da411
SHA512c6d76169bcbbcf07075eb1037b9adc7c77ba02a0d509138bc7ebd5e0c8bd85574196fea5ec084b77d6d1720abc5228380f914ecb6d717cc30393ba6f362894ef
-
Filesize
15KB
MD573270e88d6722cdffe3324da5d65c8e1
SHA19e1ca64987a61adb268dba4ecbe60b2a78c48ba6
SHA2567af912c582b50346b5d0dabd6ec7ac61fcee539901f758ce2a9affab90a7f32e
SHA5124f3f724f0f6b2cc351bc2ec7dad9cbf1db825c16e5b7c3fad327c71ce4daa37741ac288a57861785d29e05d859b546ce4813591c423a2ca8d67776e3220f0d61
-
Filesize
16KB
MD57358933b8c282d1ce7fad257a6eab201
SHA19d6ed6def0c954dbe47e6a0c3732e1871d8eda37
SHA256573a65946722e64288bf7dedf5d3993754431371ed2d3b9914234e8eba655e8d
SHA5129b827e9750f7ca5202226bd55dc0d03a280f7f1169a2a1deb078b4f59dca7629915274d51336d0a766577ab90d78c1ce50817912a0e98dd48c2761cba9d2d455
-
Filesize
16KB
MD516f82047e7dcd74baaef57131aacd8e5
SHA19f9717625d46d2613f86697d3c5e032409cde514
SHA2568a3c5ce4fa15e1f77fe557e82c64c191e99b4fc2555e3d4a6faf2a8ce7682140
SHA512309cde87652f4a74b07c440a58bbf332e89d0987a688b5efb5ed10a0546988c007a09cd0893da2713fd46625adbd9703e9d2d6afb0d491d04e04353c74cf5034
-
Filesize
344B
MD53754f8f8abad5bad797085d0717a9766
SHA148d92f36cb721b390e216aa03b27b41f25c563fc
SHA2563c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927
SHA512c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985
-
Filesize
6KB
MD55a0c148c31b3b650d47a2c460bba6a34
SHA1332e5f7054a9e72ac2abf344d9f0c715eb3bfb4d
SHA25655a06c795d961bd867e893943bb44dbef56b30cb5bd1005cfb73cfd870f4586b
SHA51263d0416d1a0e3093389d15578f05f157eba9e19a1a0f029432a8ef2db8a4806deafb130a757d7c72e6afc9213fbc141091c888d8aaf310a5cd8666479f557259
-
Filesize
977B
MD553316bc0c42b9d65743709021f1d03c7
SHA144cfe377bf7fedee2ce8f888cfacefd283e924e6
SHA256600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36
SHA5129b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6
-
Filesize
1.9MB
MD5ecf9e501c84edb61b900636872b2460b
SHA19f021fc6f854c464114414b2b7be94d03e8f5527
SHA256ae0c64f062dc58bb2fc49defde49ec237868b1e76eb58ef10638c1159e97bc35
SHA512daecfa18f31d4537deb587ab1454dbc375834e9dc3d821941944af2507bcd43aeaf984aee0d1cd3dc678711a4671f66373a35c1e0bf0122f67f2c8e0bbf1d3c5
-
Filesize
2.4MB
MD57a1512578792b66929f21b15d6eef11f
SHA1487ec823f377cc33b6d6f21b93a61a22f99ede93
SHA256f6ff2170e4fe8480ce8ba96a279378a8113b4b860eda894ec0529bfdcbdd648c
SHA512e6dcf7225d7d3ab1b1a57ebf76acc9ed10d75ec2a3a53300b9fe4fe40f9434894ac166e95fc71df353f7cef18fc60c0bd6171a08b8add23f925588952e071b34
-
Filesize
2.8MB
MD5dbc1b5409b07406549df6d8c34157f5e
SHA1121c8e1241dd7a75e3327ce6823a49b212b479dc
SHA25640671c721a6aaa4e42350c8709b3aceccaf051ff568035d976e06b0278616d53
SHA5123a96d8a233e8e2d2d215298f57633e107162ca801e07b1c19ee84d15800e4a7d875248e2d26b5ce8d8e5dfadf87c79f503a798120b3379dc5ecdd5f629703280