Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/InternetSecurityGuard.exe
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
SSDEEP
98304:hvOOFJ+Z8eAgy7SH9s76RSvyqJOBgECfMfYv+85JH0DVczt8A:hvOOFJ+ggr9s76R+wcMAv+IHCczt8
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest InternetSecurityGuard.exe -
Blocks application from running via registry modification 18 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" InternetSecurityGuard.exe -
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\host_new InternetSecurityGuard.exe File created C:\Windows\System32\drivers\etc\hosts InternetSecurityGuard.exe File opened for modification C:\Windows\System32\drivers\etc\hosts InternetSecurityGuard.exe File opened for modification C:\Windows\system32\drivers\etc\hosts InternetSecurityGuard.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerscan.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfwadmin.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSSUI.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\au.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxdl.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPck.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winssk32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDInProcPatch.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto-protect.nav80try.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dcomx.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan95.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfwsvc.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsubwiz.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxfw.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmesys.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\support.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\Debugger = "svchost.exe" InternetSecurityGuard.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 36 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\8b93e\\IS978.exe\" /s /d" InternetSecurityGuard.exe Key deleted \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce InternetSecurityGuard.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ InternetSecurityGuard.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: InternetSecurityGuard.exe File opened (read-only) \??\X: InternetSecurityGuard.exe File opened (read-only) \??\R: InternetSecurityGuard.exe File opened (read-only) \??\T: InternetSecurityGuard.exe File opened (read-only) \??\V: InternetSecurityGuard.exe File opened (read-only) \??\E: InternetSecurityGuard.exe File opened (read-only) \??\G: InternetSecurityGuard.exe File opened (read-only) \??\K: InternetSecurityGuard.exe File opened (read-only) \??\M: InternetSecurityGuard.exe File opened (read-only) \??\O: InternetSecurityGuard.exe File opened (read-only) \??\Z: InternetSecurityGuard.exe File opened (read-only) \??\I: InternetSecurityGuard.exe File opened (read-only) \??\J: InternetSecurityGuard.exe File opened (read-only) \??\N: InternetSecurityGuard.exe File opened (read-only) \??\Q: InternetSecurityGuard.exe File opened (read-only) \??\U: InternetSecurityGuard.exe File opened (read-only) \??\H: InternetSecurityGuard.exe File opened (read-only) \??\L: InternetSecurityGuard.exe File opened (read-only) \??\P: InternetSecurityGuard.exe File opened (read-only) \??\S: InternetSecurityGuard.exe File opened (read-only) \??\Y: InternetSecurityGuard.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 InternetSecurityGuard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0" InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\BrowserEmulation InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "15831" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" InternetSecurityGuard.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\ = "Implements DocHostUIHandler" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAKEAV~1\\INTERN~1.EXE" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "InternetSecurityGuard.DocHostUIHandler" InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" InternetSecurityGuard.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 4488 mofcomp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 64 InternetSecurityGuard.exe 64 InternetSecurityGuard.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 64 wrote to memory of 4488 64 InternetSecurityGuard.exe 94 PID 64 wrote to memory of 4488 64 InternetSecurityGuard.exe 94 PID 64 wrote to memory of 4488 64 InternetSecurityGuard.exe 94 PID 64 wrote to memory of 3300 64 InternetSecurityGuard.exe 95 PID 64 wrote to memory of 3300 64 InternetSecurityGuard.exe 95 PID 64 wrote to memory of 3300 64 InternetSecurityGuard.exe 95 PID 64 wrote to memory of 3012 64 InternetSecurityGuard.exe 98 PID 64 wrote to memory of 3012 64 InternetSecurityGuard.exe 98 PID 64 wrote to memory of 3012 64 InternetSecurityGuard.exe 98 PID 64 wrote to memory of 4320 64 InternetSecurityGuard.exe 100 PID 64 wrote to memory of 4320 64 InternetSecurityGuard.exe 100 PID 64 wrote to memory of 4320 64 InternetSecurityGuard.exe 100 PID 64 wrote to memory of 3780 64 InternetSecurityGuard.exe 103 PID 64 wrote to memory of 3780 64 InternetSecurityGuard.exe 103 PID 64 wrote to memory of 3780 64 InternetSecurityGuard.exe 103 PID 64 wrote to memory of 2752 64 InternetSecurityGuard.exe 105 PID 64 wrote to memory of 2752 64 InternetSecurityGuard.exe 105 PID 64 wrote to memory of 2752 64 InternetSecurityGuard.exe 105 PID 64 wrote to memory of 4076 64 InternetSecurityGuard.exe 107 PID 64 wrote to memory of 4076 64 InternetSecurityGuard.exe 107 PID 64 wrote to memory of 4076 64 InternetSecurityGuard.exe 107 PID 64 wrote to memory of 668 64 InternetSecurityGuard.exe 109 PID 64 wrote to memory of 668 64 InternetSecurityGuard.exe 109 PID 64 wrote to memory of 668 64 InternetSecurityGuard.exe 109 PID 64 wrote to memory of 4072 64 InternetSecurityGuard.exe 111 PID 64 wrote to memory of 4072 64 InternetSecurityGuard.exe 111 PID 64 wrote to memory of 4072 64 InternetSecurityGuard.exe 111 PID 64 wrote to memory of 836 64 InternetSecurityGuard.exe 113 PID 64 wrote to memory of 836 64 InternetSecurityGuard.exe 113 PID 64 wrote to memory of 836 64 InternetSecurityGuard.exe 113 PID 64 wrote to memory of 1408 64 InternetSecurityGuard.exe 115 PID 64 wrote to memory of 1408 64 InternetSecurityGuard.exe 115 PID 64 wrote to memory of 1408 64 InternetSecurityGuard.exe 115 PID 64 wrote to memory of 3372 64 InternetSecurityGuard.exe 117 PID 64 wrote to memory of 3372 64 InternetSecurityGuard.exe 117 PID 64 wrote to memory of 3372 64 InternetSecurityGuard.exe 117 PID 64 wrote to memory of 2520 64 InternetSecurityGuard.exe 119 PID 64 wrote to memory of 2520 64 InternetSecurityGuard.exe 119 PID 64 wrote to memory of 2520 64 InternetSecurityGuard.exe 119 PID 64 wrote to memory of 5100 64 InternetSecurityGuard.exe 121 PID 64 wrote to memory of 5100 64 InternetSecurityGuard.exe 121 PID 64 wrote to memory of 5100 64 InternetSecurityGuard.exe 121 PID 64 wrote to memory of 1956 64 InternetSecurityGuard.exe 123 PID 64 wrote to memory of 1956 64 InternetSecurityGuard.exe 123 PID 64 wrote to memory of 1956 64 InternetSecurityGuard.exe 123 PID 64 wrote to memory of 2596 64 InternetSecurityGuard.exe 125 PID 64 wrote to memory of 2596 64 InternetSecurityGuard.exe 125 PID 64 wrote to memory of 2596 64 InternetSecurityGuard.exe 125 PID 64 wrote to memory of 5092 64 InternetSecurityGuard.exe 127 PID 64 wrote to memory of 5092 64 InternetSecurityGuard.exe 127 PID 64 wrote to memory of 5092 64 InternetSecurityGuard.exe 127 PID 64 wrote to memory of 3808 64 InternetSecurityGuard.exe 129 PID 64 wrote to memory of 3808 64 InternetSecurityGuard.exe 129 PID 64 wrote to memory of 3808 64 InternetSecurityGuard.exe 129 PID 64 wrote to memory of 2416 64 InternetSecurityGuard.exe 131 PID 64 wrote to memory of 2416 64 InternetSecurityGuard.exe 131 PID 64 wrote to memory of 2416 64 InternetSecurityGuard.exe 131 PID 64 wrote to memory of 2224 64 InternetSecurityGuard.exe 133 PID 64 wrote to memory of 2224 64 InternetSecurityGuard.exe 133 PID 64 wrote to memory of 2224 64 InternetSecurityGuard.exe 133 PID 64 wrote to memory of 3112 64 InternetSecurityGuard.exe 135 PID 64 wrote to memory of 3112 64 InternetSecurityGuard.exe 135 PID 64 wrote to memory of 3112 64 InternetSecurityGuard.exe 135 PID 64 wrote to memory of 2540 64 InternetSecurityGuard.exe 137
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"1⤵
- Enumerates VirtualBox registry keys
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\Fake AV\5781.mof"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe" "Internet Security Guard" ENABLE2⤵PID:3300
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.com 8.8.8.82⤵PID:3012
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.net 8.8.8.82⤵PID:4320
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.com 208.67.222.2222⤵PID:3780
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.net 208.67.222.2222⤵PID:2752
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.com 8.8.4.42⤵PID:4076
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.net 8.8.4.42⤵PID:668
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.com 208.67.220.2202⤵PID:4072
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt diinu560ubjjsv.net 208.67.220.2202⤵PID:836
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.com 8.8.8.82⤵PID:1408
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.net 8.8.8.82⤵PID:3372
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.com 208.67.222.2222⤵PID:2520
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.net 208.67.222.2222⤵PID:5100
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.com 8.8.4.42⤵PID:1956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.net 8.8.4.42⤵PID:2596
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.com 208.67.220.2202⤵PID:5092
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt insssyfinr1275tc.net 208.67.220.2202⤵PID:3808
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.com 8.8.8.82⤵PID:2416
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.net 8.8.8.82⤵PID:2224
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.com 208.67.222.2222⤵PID:3112
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.net 208.67.222.2222⤵PID:2540
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.com 8.8.4.42⤵PID:1012
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.net 8.8.4.42⤵PID:3056
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.com 208.67.220.2202⤵PID:4540
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt hppwycfjr1248swx.net 208.67.220.2202⤵PID:1268
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5fe7c10448a5cc17a65029be6a71bd190
SHA1e1767d3163388f2d74f89475f237f55154c22135
SHA256aa350ca50c1656d06182bb60a2bad3f749225ba6ccbd841680c211bd756eefad
SHA512313ae00c9504e395836e38e15bc3d3b9bcd408faf936fc1a9fde641aac302f49b0d8dc5d1e3546a7e35fe3ddabfbe193314fbaed9f96f268e5fcd4b696099e0e
-
Filesize
196B
MD56e86650ad96258b23f022605c5f202d5
SHA1321290e91871cb653441e3c87ee8b20ab5f008a0
SHA2568c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223
SHA512e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c
-
Filesize
379B
MD5c0d1c60ba61e5779908fca77da375398
SHA17b4029b08abeef0c7debd2f9ea44c3ac0d55a926
SHA256275727d35e9f113539cf02fb81ef35408242c29c14755f592d54590d23bbfedd
SHA5127306029e6ef8082e6f23ed8e9ae8893249290b8f579942dd4e857bc98b6d54f895a4a63992689d8a7f4a2b93c90b178d3b53d323da25cff5fecbcbe8503bc488
-
Filesize
1KB
MD5c9ce59b1e3ee8b75017e9a71f4df4fde
SHA15e0cfc36216696b394c10d043d914b95b0ac9506
SHA256a73cb08ae5a7408d0fd322cb3ba096276a3c2db4f35fba5796692fc62cbe413c
SHA5122b2463c9685172837b5e1d55f3d85c42b153e2db3b9c020f19b104d34540a96162e645809e68cb082e3047df7a2299acedd37572a40f6c13fbe2ffc66f83987b
-
Filesize
1KB
MD5614640314f320e667f14c1899746a503
SHA1df2fd4a0379368f4456c8c7e910affd667d01b84
SHA256a1e76dbb882c6f57c5ab01a5335b38a2de49e1e7a396ec74f10ca1ef52b6ce6d
SHA51211f8877faaae439d6c8bd3520644dd5c11104b6b4c42c506e0ff11f63d63a1acd933f09cf6ec4c85b0586ebbc63288cc4aa8690f6150d4c01e69bbbe75f98820
-
Filesize
1KB
MD53478a0b0d29081b3dd28481a9437226a
SHA122f00dc21f300026431d716e3cc96ff7b1fd2c33
SHA256b9d10d67574441c9fe5804b0c48c8b4b3829f3ddf9c6913febaf4d177211eb08
SHA51233b6b700ddcad993dc79f4f9ace5a31556c7dc5cda43dc283331b2b2fcb4da6ede3a8874f77e6e64e48d828996137773f0b7c9ef025f3af247a76771376b1feb
-
Filesize
2KB
MD598c56cc5a5ad2768f9c2de15ae05bce0
SHA1ba6024976a446be70e500bc4318df2ba57b40624
SHA2567f10dcf6013b5696925c9d613893b7c7e8023be95a35d4edd563594a556c142e
SHA5126c4942eec234ad7276dacecf019da20df83f8ac535cc1e2b656e01468c06434cc69504c0fbb16d7dc0757d65fb076c7cf9d1586808b9bede9af8bd0b9203a3e2
-
Filesize
2KB
MD5c27a57f000ebaa707932db0f7821c77f
SHA12f94ae38c56aaa32b5566bf7073ce0b1b3eb159e
SHA256cb96d05337897d60ca9628c1f6f69e67e2b784818ff1dec24f229aca1b03d466
SHA512b39b3c4f3e5dabf5440adb0eae1335f4f070c61d827695bb6d7edfbd817a9bcbc28f3fb6b96ed3f178c5111f8e0bb6f7f837feea56c2021cbb2e7319f2ff6b9c
-
Filesize
3KB
MD524e7829c023f5ee044e40ad9e2cf5f1a
SHA1b7cc75068765a450f112230f08b577bb25630da6
SHA25654ef66c9894b0423e30105628a767e6b422fb0c02be614e0cbc3a2ec1851654a
SHA512a6f7f02a522035039c3107e1ef2c79687106a92d14339f595e3fdba7da6fde960ec948e495d35154c7a07850acaa1c951fc0bf640860f8e1a8bc34af57840aed
-
Filesize
4KB
MD5d06c0de9604e2e2c45c42a82a2b8e333
SHA1c2893e549458c48b0a5b4ebe07ae794b725d23dd
SHA256e841a98e62047dd9d21be1d6afd524eb662f627f692df28ea14d24275ab9def2
SHA512c2bd03533d618e91da41959858997d5627c5bd9ea65113de178552b5a3fd1a3e7963ea3bf141b4c2fa615a2a0df3bfa0d57c186aabce36a5b57afc507720a70f
-
Filesize
4KB
MD507d20e95c2a5ea8b2dd526dc80584a10
SHA1cb3b943b0600fc4cbce9fc13874946f46eb933e7
SHA256e7bbf018c2877d81007346c0796d10db12cabdf3aba7be4656cd8cff9088d208
SHA51226a5c9fdb296d54c025a82689fa7a240c4928d7bcd259933f7294e6c499dc3bdf2ac3f3a30815c55910031cebb9776ab36df31f48bb45c6d26b4057f3dc262ff
-
Filesize
5KB
MD506363b1a2562d3102f04ef94b71416de
SHA19cfc40ac33dcad09bf3addd5ce7165ec24f7bd11
SHA25630c5b9b48d4d3aac91cfe829c14514a8a9a0a3621802891373e011170fe3c7f4
SHA512908dc915aa528761326397dee3fea768ea5c974d4716a95be0e0f928576596cd4cd47700cce5977eb63232fd8fe5c313acda08b88c8ba2d75eea90351fd9f7f5
-
Filesize
6KB
MD5d9dc368d346defd69187a472d34a4134
SHA1f11aa565121623f552a211140ed663e85060f182
SHA256bedfee0f41b9aa0c9b1767c0b6ae5b73a25775c6e4246b4f1dce712cc715e542
SHA5120e95b7000876086005f8cd1ad43646e68d5372c467a6f427a6ee585f9584c3e3f701207e63dde04354cdd816abe6a6fedb1d0669f88fd29014ed8ad73db0f0f8
-
Filesize
7KB
MD5b466d4fd4a5fe76a26effe5004f0ef21
SHA14b0a2a478ffab1b2b4a0082fd9578bfba01f4c5c
SHA256ab14a6ff8c11cecec6a84ca69f0c12a26224468a3e695573d8bb7952f56724e6
SHA51210c85255a79d9490896bace5bc5c8425159ca273c481c9ecf11083670838f4cd2e2a8e68ec1f040848350c314fb68adffba33c9d03307152acba651ba139ce16
-
Filesize
8KB
MD50d5c00ef7eae233c849b23bef8727676
SHA10424ba73bad0e3f291a90fec3bb86bc20a776a9f
SHA256377008d751f87732ca02182456b5d767e1c2b391a426b53106d3dd028530ebec
SHA5122f76da17e4357f3b5b5428de88e936e674a6c5d0a13e9e49fa7c4436ddef1f5c31ab31dd65fd33e63c22336c82f63af450ff6ab1a1f313af4a0a052325ee9c35
-
Filesize
9KB
MD55ec1eb1ab2e0b62ad1cd97956bae8dce
SHA1be9e327e45409ae795a69cc9e50a4c5bb4049814
SHA256d4433e694eccb96fa4ce9dd82f00f4d29512c33ca7a6e06d55592d757a1a99ac
SHA512cab651763361e49b5d03198bbeaee8df6ab5aa6dced4e9f43a65a5104fb9cf0b7d19b9cc4ff93c24b6fadc4ee27415cd32c1b8a5aa568cfdaa4bc478a5781340
-
Filesize
10KB
MD5c7b227048219ac5811bc2f777e879a8d
SHA1c264c74ff88210fb88ea8c5c947b96220f2e4a07
SHA2564a9a735a12405b0fe4c1fbcb38d1f57808ac0386167d3024eaff850d0fe4ee83
SHA512853f5bae6f7049a7802d23617a4b2c68d64dacdcd3ef4754ac8f06f52bf4046a0613450b2b2149d4d16d0515461511d87fbb2b6a301317cc1f304598959d3670
-
Filesize
11KB
MD52df5ad84c45badf1e03bd68bf95eb86c
SHA11c6eef307c6aa4bdf578073ae71a77004f68d31b
SHA256655196e91302a5d6deb266cede4a6b193f6175a79a9b463c0ce26bacbbe2b040
SHA512e90f3223081876419f51efe4733d581bff73c36bc876c9e60cb259892c9a43e0eb226a0b5fd89b89dd22cf1eacd208ac2afe05b8bdf63a5dd91a84228ff88f5c
-
Filesize
11KB
MD50d9645e24c9b3dcc429ece0db44e2136
SHA167b2dc6dbd4b452a32eb080db0f1d7da068422a5
SHA2564b35e346498774a434fd8f0d7db0c23adcb33c582d39e3c97e76e6f93eb90d17
SHA512c8710ed57982f47713a70e1743fd4ac4362d19a3392f0f5c8b0cae3673814f88f16d9493e3f16c6f45b4d027c9a6e9597480f18257bb2e07136d0596d1d8d69f
-
Filesize
13KB
MD563c3c1816d205ef6a895a020c603fb4f
SHA1eb57e0176ac506bff77a9dddc4bf8aef7bc308d2
SHA25691b0b9b7ec6bbed884331231a21581b7eb30aa4ebaebf70ec8e9a666dedc2557
SHA51243eedaf7b0b7a12043650705b465ddf0d5c23604dcc084603ae1de3295fabdd8f9ef0d1bfa0b8dec75647de18aacd7a6f9c86934a12f04d98a89f8cd6bf133fc
-
Filesize
14KB
MD561e9ea70910e91d7232e04fe83ba7a6d
SHA1d21edcbaeee79549f05c3db4b33ed2414c000fba
SHA2562f9346e228a51813dc895e2fcf679d9894c0739dfdb5e88fdc16c59c68fd5c26
SHA5122dcb38005f3c6d204d85756f892f53aedcc90ad75ae3b49aa8fb5124cf3eb6389648a871e8ce838dc15b558e3c7ffa3fccd1231d6cbea7bfe6c659aa14b6892e
-
Filesize
14KB
MD58643c4e4da3fc60067945b37eb42bc04
SHA11c6ce62ac6e39f88a08e07641b4a4e91eba54648
SHA2563979a8da68d0a6ded406bfd28b4d674d5d1006485ffeb37069064e280f46b237
SHA512479910d0dafa6a45735b24f61d9469bec108a4b90f29c7c63655b9d2633fa7a489123cc30520ec3b195f562bde9bd603651acd33ff9404a1220ecdf7edb7a0fc
-
Filesize
15KB
MD53129f839d59c5f3d3cd267817f27d292
SHA13101a3593fa865290ec4c1310ba37368e3ffc8c0
SHA256c6004eb98e8c34e2fa1dc136ccfbf366c897f1226ccc0649e9b6be6f3741b525
SHA512e10855220fde90204b3f93e274b9c75b70a26c8cca2ac04459babd7bca7de35369dc12328b7270038a8c6a7d279e24edc2528a655c25fbdeac6b8c633aa99b7f
-
Filesize
16KB
MD5aba755f7b4d32732e06ec35015f92024
SHA1f3a016dcdfe7c59ddad18fa8223c854444094f55
SHA256e3b99bb6692ffcb94545f34ff49b054deeb9f455f75e0694306699b1316d7afb
SHA512a3e2a7913d69565cc7e31ba10c56cf996b6bbd439c0a449854d39990b5ae493bfbd3d2455155a8d16d466f01fee0b39818d160ffe8768278168e07e8f7ca1219
-
Filesize
16KB
MD5538264467013e1dec74f79c771b02ad5
SHA1e6b77af6c639972c9ab7454b30f5af82b6a94979
SHA2562340db009847570b9e450cff93337eedf42b1d98b3c37c9b5505ef0bead7ebc2
SHA512e1a1b9e34bf48ea421d4872f69f453a220d1a4db77b6ef3c0e700bb13000042709201eab2aa3b523243f9433eeef3fe26432e88e2d7b7ab943d8263dbf11acd4
-
Filesize
16KB
MD5d6b6ca70350c95f725f3ac8246d19809
SHA1b9055b5232e1c60a57d35b79ecd13ca71348b46c
SHA256e305e08757de10965c96651bdcbc89b961f2af2fee089546b6a672ece7373573
SHA512eabb4fe5a79a3e2c476259b9bc1b9cdb47359e403c219f09a5b71276d40fdc7cfdeed97c16c91234f487cd36418c089a90a910093268b7ca494acdb7f1f8742f
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
344B
MD53754f8f8abad5bad797085d0717a9766
SHA148d92f36cb721b390e216aa03b27b41f25c563fc
SHA2563c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927
SHA512c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
Filesize
6KB
MD5bf8ebb7e5ad797e5ab158a0d8a5ab5da
SHA19ad01fa0a0074b775d77171b18ee22c264b8fa54
SHA256498d565388665d46c31f7eaf04cda36242733a7848e967a027c83a7412b61c5c
SHA51236337d24bc7a06508c719d3104b84510d649fa37ec4d2edaac12bda8a8ed2bc370f2923bffc185932af2868e189fde160fb1e95dfc9e1e88c06c8ea2bbd13dcd
-
Filesize
1KB
MD5008fba141529811128b8cd5f52300f6e
SHA11a350b35d82cb4bd7a924b6840c36a678105f793
SHA256ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA51280189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc