Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/Antivirus2010.exe
-
Size
775KB
-
MD5
f49bcb5336b1e1212ae82cbb98f8dfe4
-
SHA1
fc87518aee297f9c18e40f4604ea048aec0342c4
-
SHA256
1501affdcf557a9dcb73ae34d43365d5301532a48328564160fdc1f3acb01e2e
-
SHA512
51a4b1a5ede81e4dbeb9a335fe3a370e6ae452a46d4f4ce8753b37d6e399b00e0de3b066921febf1b5b20f5e3356e0d93da5df366acd2002b792ecb7eb32a7e4
-
SSDEEP
12288:msCyG0JUuqby8mkxhZZIQUopL1UnDs1WxWM1W0pdNkFGNjB7tDWYK:j/kxX/ZLwo1WgMPACBv
Malware Config
Signatures
-
Modifies security service 2 TTPs 3 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP Process not Found -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" svchost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" usеrinit.exe -
Deletes itself 1 IoCs
pid Process 1724 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3012 usеrinit.exe -
Loads dropped DLL 1 IoCs
pid Process 2124 Antivirus2010.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks registry for disk virtualization 3 TTPs 1 IoCs
Detecting virtualization disks is order done to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\S: svchost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT usеrinit.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx Process not Found -
Suspicious use of NtCreateThreadExHideFromDebugger 30 IoCs
pid Process 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe -
Suspicious use of SetThreadContext 23 IoCs
description pid Process procid_target PID 2124 set thread context of 1724 2124 Antivirus2010.exe 28 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 PID 2520 set thread context of 272 2520 svchost.exe 16 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI svchost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe -
Enumerates system info in registry 2 TTPs 42 IoCs
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000163cca1ea239604d83655249453b2bfe89a08924bfd8dc3a3af08712b3105dac000000000e80000000020000200000000efdeeeda1aa807721ebef3fcb258a237b615dba751ddc219840e87cfded5ae990000000ae5a984ece4e72c40bdce9959c1f333db2b303801ecd826004c407a733b9dfce5267a07bbcf0dabc04420837171ecc07b36f776d425c7ec907d2b3037446ea8e2fd96315df501431693d28a5793044c9e987cc160fd92ee9e2d29f084af436b8f59ee52946e6b7bc8b117737270a4b3343f3078b4e899c5cc2d4b8e6d5fc3725763464d331cd84fee075f5606b546a1640000000fa256474240d7555eca19f7c9d652d368c619e3b7a098b46b752d35b7786ba75002f93725a688b1d226c49063051d57ce4525dee87108d56a16237690f304a59 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EC7A6A1-D8E5-11EE-BEEC-D20227E6D795} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90de7553f26cda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000007e24c37093847c92a5cea8828a9b9169c33e42a915fca012df3ae3e6a3448679000000000e80000000020000200000003c5d8c915dd416dba54cd572cb49441b0cb3a14a00a3a21b8fbf6c22e830a68a20000000f0b19839142c4be440857e7c64b19a633b3f332ea89441644e8813db0382bdfb40000000ef37381f87dc6825d3cad41c703aa26c22bb41f58de3051179dfc655956f132ee005d8b03f159aabb87408615296a61703d98ff8ab26306e98e9bb9b6fedeef1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Modifies data under HKEY_USERS 30 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main usеrinit.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadNetworkName = "Network 3" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" usеrinit.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecisionTime = a0d5a40ef26cda01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\e6-fb-04-fa-e0-00 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecisionTime = a0d5a40ef26cda01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecisionReason = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ usеrinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" usеrinit.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} Antivirus2010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" Antivirus2010.exe Key created \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" svchost.exe Key created \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} Antivirus2010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" Antivirus2010.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3012 usеrinit.exe 3012 usеrinit.exe 3012 usеrinit.exe 3012 usеrinit.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe -
Suspicious behavior: MapViewOfSection 31 IoCs
pid Process 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2124 Antivirus2010.exe Token: SeSecurityPrivilege 2124 Antivirus2010.exe Token: SeDebugPrivilege 3012 usеrinit.exe Token: SeShutdownPrivilege 1116 Process not Found Token: SeAuditPrivilege 868 Process not Found Token: SeAssignPrimaryTokenPrivilege 868 Process not Found Token: SeIncreaseQuotaPrivilege 868 Process not Found Token: SeSecurityPrivilege 868 Process not Found Token: SeTakeOwnershipPrivilege 868 Process not Found Token: SeLoadDriverPrivilege 868 Process not Found Token: SeRestorePrivilege 868 Process not Found Token: SeSystemEnvironmentPrivilege 868 Process not Found Token: SeAssignPrimaryTokenPrivilege 868 Process not Found Token: SeIncreaseQuotaPrivilege 868 Process not Found Token: SeSecurityPrivilege 868 Process not Found Token: SeTakeOwnershipPrivilege 868 Process not Found Token: SeLoadDriverPrivilege 868 Process not Found Token: SeSystemtimePrivilege 868 Process not Found Token: SeBackupPrivilege 868 Process not Found Token: SeRestorePrivilege 868 Process not Found Token: SeShutdownPrivilege 868 Process not Found Token: SeSystemEnvironmentPrivilege 868 Process not Found Token: SeUndockPrivilege 868 Process not Found Token: SeManageVolumePrivilege 868 Process not Found Token: SeAssignPrimaryTokenPrivilege 868 Process not Found Token: SeIncreaseQuotaPrivilege 868 Process not Found Token: SeSecurityPrivilege 868 Process not Found Token: SeTakeOwnershipPrivilege 868 Process not Found Token: SeLoadDriverPrivilege 868 Process not Found Token: SeRestorePrivilege 868 Process not Found Token: SeSystemEnvironmentPrivilege 868 Process not Found Token: SeAssignPrimaryTokenPrivilege 868 Process not Found Token: SeIncreaseQuotaPrivilege 868 Process not Found Token: SeSecurityPrivilege 868 Process not Found Token: SeTakeOwnershipPrivilege 868 Process not Found Token: SeLoadDriverPrivilege 868 Process not Found Token: SeRestorePrivilege 868 Process not Found Token: SeSystemEnvironmentPrivilege 868 Process not Found Token: SeAssignPrimaryTokenPrivilege 868 Process not Found Token: SeIncreaseQuotaPrivilege 868 Process not Found Token: SeSecurityPrivilege 868 Process not Found Token: SeTakeOwnershipPrivilege 868 Process not Found Token: SeLoadDriverPrivilege 868 Process not Found Token: SeSystemtimePrivilege 868 Process not Found Token: SeBackupPrivilege 868 Process not Found Token: SeRestorePrivilege 868 Process not Found Token: SeShutdownPrivilege 868 Process not Found Token: SeSystemEnvironmentPrivilege 868 Process not Found Token: SeUndockPrivilege 868 Process not Found Token: SeManageVolumePrivilege 868 Process not Found Token: SeAssignPrimaryTokenPrivilege 868 Process not Found Token: SeIncreaseQuotaPrivilege 868 Process not Found Token: SeSecurityPrivilege 868 Process not Found Token: SeTakeOwnershipPrivilege 868 Process not Found Token: SeLoadDriverPrivilege 868 Process not Found Token: SeSystemtimePrivilege 868 Process not Found Token: SeBackupPrivilege 868 Process not Found Token: SeRestorePrivilege 868 Process not Found Token: SeShutdownPrivilege 868 Process not Found Token: SeSystemEnvironmentPrivilege 868 Process not Found Token: SeUndockPrivilege 868 Process not Found Token: SeManageVolumePrivilege 868 Process not Found Token: SeAssignPrimaryTokenPrivilege 868 Process not Found Token: SeIncreaseQuotaPrivilege 868 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2520 svchost.exe 2520 svchost.exe 1116 Process not Found 1116 Process not Found 1116 Process not Found 1116 Process not Found 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 1116 Process not Found 1116 Process not Found 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2668 iexplore.exe 2668 iexplore.exe 2792 IEXPLORE.EXE 2792 IEXPLORE.EXE 2792 IEXPLORE.EXE 2792 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 7 IoCs
pid Process 820 Process not Found 820 Process not Found 820 Process not Found 820 Process not Found 740 Process not Found 600 Process not Found 600 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 1724 2124 Antivirus2010.exe 28 PID 2124 wrote to memory of 1724 2124 Antivirus2010.exe 28 PID 2124 wrote to memory of 1724 2124 Antivirus2010.exe 28 PID 2124 wrote to memory of 1724 2124 Antivirus2010.exe 28 PID 2124 wrote to memory of 1724 2124 Antivirus2010.exe 28 PID 2124 wrote to memory of 3012 2124 Antivirus2010.exe 30 PID 2124 wrote to memory of 3012 2124 Antivirus2010.exe 30 PID 2124 wrote to memory of 3012 2124 Antivirus2010.exe 30 PID 2124 wrote to memory of 3012 2124 Antivirus2010.exe 30 PID 3012 wrote to memory of 2520 3012 usеrinit.exe 31 PID 3012 wrote to memory of 2520 3012 usеrinit.exe 31 PID 3012 wrote to memory of 2520 3012 usеrinit.exe 31 PID 3012 wrote to memory of 2520 3012 usеrinit.exe 31 PID 3012 wrote to memory of 2520 3012 usеrinit.exe 31 PID 2520 wrote to memory of 272 2520 svchost.exe 16 PID 336 wrote to memory of 636 336 Process not Found 32 PID 336 wrote to memory of 636 336 Process not Found 32 PID 868 wrote to memory of 636 868 Process not Found 32 PID 868 wrote to memory of 636 868 Process not Found 32 PID 868 wrote to memory of 636 868 Process not Found 32 PID 336 wrote to memory of 1900 336 Process not Found 33 PID 336 wrote to memory of 1900 336 Process not Found 33 PID 600 wrote to memory of 1900 600 Process not Found 33 PID 600 wrote to memory of 1900 600 Process not Found 33 PID 600 wrote to memory of 1900 600 Process not Found 33 PID 400 wrote to memory of 2668 400 Process not Found 34 PID 400 wrote to memory of 2668 400 Process not Found 34 PID 2520 wrote to memory of 2668 2520 svchost.exe 34 PID 2520 wrote to memory of 2668 2520 svchost.exe 34 PID 2520 wrote to memory of 2668 2520 svchost.exe 34 PID 400 wrote to memory of 2668 400 Process not Found 34 PID 400 wrote to memory of 2668 400 Process not Found 34 PID 336 wrote to memory of 2736 336 Process not Found 35 PID 600 wrote to memory of 2736 600 Process not Found 35 PID 600 wrote to memory of 2736 600 Process not Found 35 PID 600 wrote to memory of 2736 600 Process not Found 35 PID 400 wrote to memory of 2668 400 Process not Found 34 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 2668 wrote to memory of 2792 2668 iexplore.exe 36 PID 2668 wrote to memory of 2792 2668 iexplore.exe 36 PID 2668 wrote to memory of 2792 2668 iexplore.exe 36 PID 2668 wrote to memory of 2792 2668 iexplore.exe 36 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 400 wrote to memory of 2668 400 Process not Found 34 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 400 wrote to memory of 2792 400 Process not Found 36 PID 336 wrote to memory of 848 336 Process not Found 37 PID 600 wrote to memory of 848 600 Process not Found 37 PID 600 wrote to memory of 848 600 Process not Found 37 PID 600 wrote to memory of 848 600 Process not Found 37 PID 492 wrote to memory of 2668 492 Process not Found 34 PID 492 wrote to memory of 2668 492 Process not Found 34 PID 492 wrote to memory of 2668 492 Process not Found 34 PID 492 wrote to memory of 2668 492 Process not Found 34 PID 492 wrote to memory of 2668 492 Process not Found 34 PID 492 wrote to memory of 2668 492 Process not Found 34 PID 492 wrote to memory of 2668 492 Process not Found 34 PID 492 wrote to memory of 2668 492 Process not Found 34 PID 492 wrote to memory of 2668 492 Process not Found 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:272
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
PID:1724
-
-
\??\globalroot\systemroot\system32\usеrinit.exe/install2⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Modifies security service
- Windows security bypass
- Modifies system executable filetype association
- Checks registry for disk virtualization
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:636
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1900
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2736
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:848
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD533b3d0956cf1e67f6d99e50ff9ca4b72
SHA1fc4acb2a82d5a3d3df7834de145748276305e2ae
SHA256b3443acda6dc4679b02eb78011a6abdc9b430be0af87ee16dceeb3caf29f9791
SHA512f201a105f5d2d4b3ba8c7d905fc290709d93fd2c8b1076fc5b66e803b89d4aa1e2ae64daba022f2473fc089e47d391edf7bdbaa43a36aae27d43345a0df0a619
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e8c8ad26e9f11b8928694bb2d6c6d94a
SHA132bfe7b01b90260cf7ac4e527544db21a18e2d77
SHA25659df0721e4d7a01968a277611b7c87b9f90de375ed49e292b4f4e52d5a8b1c9a
SHA512491d6c4bf7eccbe90222d167e8b381c7932f77ec4f66bccf41dc9a229bd8b356cd43e3ff848e3e9b86fc74d13f58d12f9346686474240ad7af6bff98aae376ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5960fd6e3c4cdc6b807d17f5183771629
SHA10b9411a227592040fc7fab84ba09c0bef1af1b47
SHA25677faa62106444cd9b4ab805fa8090ee361d96fe76ac37cdd6f82da2c089e83e5
SHA512952ac212ac701a0bb560a4fff46874ed073ba1212883dab76f4cd2a753ddededda9b13c0f12420dfd42f9e24dc4cb9fea7232342506ca18f35afaa5d16afa1a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5562bd3326b44ef8ff5b8a8dafdbcd71d
SHA1dc5d49d3aa18f7f4b2455e8c66521a88dff16865
SHA2566b61aafb816689db87e5623d5f125db9784b40cb65c3b390f99ab39562dd7cec
SHA512cd766785b3d0d0a7d63de54a030b70a281d35a7e05c6cc65e766ddfe132c33020281ad8f745327fe14886be55317fe1cbe70270865890cb49b562be2adb60fa4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5525a799223225fc1377353ffa8d8bcd1
SHA10c0d1dafc844b63d820672f8967586d00a6159e6
SHA256d8ab6a245af1599728c4c753bc8031e478dfce26e5f0c6738503e994d2243867
SHA512ac63dcf10dfb07f9b54d92859d492db79d90096bb50791a6b5a37f1f7b83550e74c535920dd3270e19222f63b9784ce8c8b6dc4fb496214d1b532e618b352372
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c841051abe33a26f148bc8761b145c39
SHA11dbce39d749d88715f6acab03a5a83a9e211e9f4
SHA2566e4e6863335ddcf5978e01482cd0798f325c43c2fa9cf09e5b6e2415004857da
SHA512bdb62c311205ead009484111babaa0426b05daf4e09bbe5e33784dce95d9a4fea55e3eef17b8e6cee2b1ec713e83de92bd9f3ced1882693c7085a3b298d64089
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55356c799e535e8b9604d68074c5450da
SHA1d49b6455fccdd16782da8c6bd100843e2b422032
SHA25663f7c6561009827c552948ed158caa23ad70e3c4047f59b3575272638c97723b
SHA5128132ec1b5adc24431f59d824768b8459fd3d507d4c8580b7c7935f5fe795ebec7d6065c809a3a3ef265314c917965b0a910bc0a7ae529a7d8f3421b53e1626db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5194a573050f71559bcd63ec8393f4032
SHA1f63c29991b040840046ad7ac3e59620c10382fb0
SHA2564c203b1bd151eb4a9ba6b74877f304fa5b2ba7a8d0b86bad8fb32cf950a22b08
SHA512aa547eac5c2355f3a21872e1878aedd7418cb885d6c0cc94cc9e229a7ff5e6ac88dcaf914bd6ec508789f45329de00e595d2b296f59df78deaac164e5c445f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD523a73bf5863c72733dd8cfe5708e6e27
SHA1badff23e7692a5d227932d1923b76ea6614844f4
SHA25641abd4255977c86e552cf7f66e100fe2c52c7694d5c69527090138f147d79fb0
SHA5121c83768a68b6e09abccb639c1590273266f0af8d7db0cfcf5bd81c77673fd9ab62a02a58416d27fafb6a38e1fb5158722c696d0636a658608cc05a26d5a66013
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
2KB
MD563881935b6ff930a39df13a27c18c3f5
SHA1d5464ca24d61b2efb562b1b4f4e0bef69c94cf04
SHA25650d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5
SHA512011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9
-
Filesize
115KB
MD572178bb0f9674f0ce0b6b188d1219266
SHA1ae3c43c7846c0ef977fa90991e1c366e34ab671c
SHA25609cd3c864182b703a1384a15e60424c0ee8c82c3fd19f197c391a0e3ec5bd16e
SHA512d9004c1b8402375c92690525f06ae83198bb929bb18dfc46fda9036a4054ed9c38637438b13ecc2566f98f2a8ac297ec7f0151b63a59c4f7bbc2ab8f7b6d779e
-
Filesize
68KB
MD5aef9e26239afcb4b33a86a2fa1d7c6cd
SHA19d7d776bff2ad58b4d779abdb6e9e95762240db8
SHA2562d17533cf49cc30e382b259be3cfd2ed2a65d7d8919705fcde6eda818cb7caf0
SHA51252ab2b4a2eff04921b0c482e98c6d490bb9f112efbdf254b87f5740d93754225643b5feac4ab98a25517aac7502f3bb7a95b14be91f110cc0bf251bda6170ea5
-
Filesize
139KB
MD54acd14244d2cd76d06939163127cfb10
SHA175f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA25629b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031
-
Filesize
718KB
MD57943d251821ca441924f0d64946e8a3d
SHA1cace099a490410260802ee143f7c7e3543f2f4cf
SHA256be8dbcb59c3181ec518a6934931efc725a128310956fd076f0f0bd537b96a9eb
SHA5120d4c9f021e07e2a27f3e7f46be591f01ec4c04fce98d9c177697ea4518d0c8d80105d73a29deff925cf28fce89a4fe40e790ef0086748dc169b1a8190e6d40f9