Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 18:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Resource
win7-20240508-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
-
Size
52KB
-
MD5
2cd285151c06274a9cbec89f6a97e5a7
-
SHA1
825592195c444e5642a7407c8147d372abf1b0fb
-
SHA256
0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658
-
SHA512
fef1729c20e83ba465f3a6e7c45cf12d7decac722c078e6f2cc5163da6a7d37c6e9bca105274e437a8e0c39ea84aa57a451015804cbc18269c06e1b20474a6ee
-
SSDEEP
768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1+33j5n/wZf2kfw:IzaEW5gMxZVXf8a3yO10pwZc
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nEwb0Rn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe -
Blocks application from running via registry modification 54 IoCs
Adds application to list of disallowed applications.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe -
Disables RegEdit via registry modification 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe -
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe nEwb0Rn.exe -
Executes dropped EXE 31 IoCs
pid Process 224 nEwb0Rn.exe 3712 WishfulThinking.exe 4584 nEwb0Rn.exe 2200 WishfulThinking.exe 1760 WINLOGON.EXE 3864 WINLOGON.EXE 3740 SERVICES.EXE 2376 SERVICES.EXE 2156 nEwb0Rn.exe 4848 WishfulThinking.exe 3804 nEwb0Rn.exe 1812 nEwb0Rn.exe 3648 nEwb0Rn.exe 3356 WishfulThinking.exe 4180 WishfulThinking.exe 3380 WINLOGON.EXE 2152 WINLOGON.EXE 3236 SERVICES.EXE 2560 SERVICES.EXE 3392 nEwb0Rn.exe 1408 nEwb0Rn.exe 3184 WishfulThinking.exe 3332 WishfulThinking.exe 5104 WINLOGON.EXE 3980 nEwb0Rn.exe 4472 WishfulThinking.exe 4644 WINLOGON.EXE 4428 SERVICES.EXE 2724 WINLOGON.EXE 220 SERVICES.EXE 3244 SERVICES.EXE -
Loads dropped DLL 7 IoCs
pid Process 2156 nEwb0Rn.exe 3804 nEwb0Rn.exe 1812 nEwb0Rn.exe 3648 nEwb0Rn.exe 3392 nEwb0Rn.exe 1408 nEwb0Rn.exe 3980 nEwb0Rn.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WishfulThinking.exe -
Drops desktop.ini file(s) 6 IoCs
description ioc Process File created C:\desktop.ini 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened for modification F:\desktop.ini 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File created F:\desktop.ini 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened for modification F:\desktop.ini nEwb0Rn.exe File created F:\desktop.ini nEwb0Rn.exe File opened for modification C:\desktop.ini 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: SERVICES.EXE File opened (read-only) \??\Z: nEwb0Rn.exe File opened (read-only) \??\H: WishfulThinking.exe File opened (read-only) \??\P: nEwb0Rn.exe File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\Y: WishfulThinking.exe File opened (read-only) \??\Z: WishfulThinking.exe File opened (read-only) \??\J: nEwb0Rn.exe File opened (read-only) \??\U: nEwb0Rn.exe File opened (read-only) \??\V: nEwb0Rn.exe File opened (read-only) \??\B: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\R: nEwb0Rn.exe File opened (read-only) \??\W: nEwb0Rn.exe File opened (read-only) \??\H: nEwb0Rn.exe File opened (read-only) \??\V: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\I: SERVICES.EXE File opened (read-only) \??\B: nEwb0Rn.exe File opened (read-only) \??\J: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\Z: nEwb0Rn.exe File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\H: nEwb0Rn.exe File opened (read-only) \??\I: nEwb0Rn.exe File opened (read-only) \??\S: nEwb0Rn.exe File opened (read-only) \??\T: nEwb0Rn.exe File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\Y: nEwb0Rn.exe File opened (read-only) \??\L: SERVICES.EXE File opened (read-only) \??\E: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\U: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\W: nEwb0Rn.exe File opened (read-only) \??\K: WishfulThinking.exe File opened (read-only) \??\Q: WishfulThinking.exe File opened (read-only) \??\J: nEwb0Rn.exe File opened (read-only) \??\Q: nEwb0Rn.exe File opened (read-only) \??\K: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\L: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\G: SERVICES.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\B: WishfulThinking.exe File opened (read-only) \??\J: WishfulThinking.exe File opened (read-only) \??\W: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\M: nEwb0Rn.exe File opened (read-only) \??\O: nEwb0Rn.exe File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\W: WishfulThinking.exe File opened (read-only) \??\T: 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened (read-only) \??\N: nEwb0Rn.exe File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\N: nEwb0Rn.exe File opened (read-only) \??\N: WishfulThinking.exe File opened (read-only) \??\U: nEwb0Rn.exe File opened (read-only) \??\V: nEwb0Rn.exe File opened (read-only) \??\N: SERVICES.EXE File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\J: SERVICES.EXE File opened (read-only) \??\Q: SERVICES.EXE File opened (read-only) \??\W: WINLOGON.EXE File opened (read-only) \??\M: WishfulThinking.exe File opened (read-only) \??\E: nEwb0Rn.exe File opened (read-only) \??\I: nEwb0Rn.exe File opened (read-only) \??\S: SERVICES.EXE File opened (read-only) \??\P: nEwb0Rn.exe File opened (read-only) \??\J: WINLOGON.EXE -
Drops file in System32 directory 49 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WINLOGON.EXE File created C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File created C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\DamageControl.scr 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File created C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WINLOGON.EXE File created C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\JawsOfLife.exe 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\DamageControl.scr SERVICES.EXE -
Drops file in Windows directory 31 IoCs
description ioc Process File opened for modification C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File opened for modification C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File opened for modification C:\Windows\nEwb0Rn.exe WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe WINLOGON.EXE File opened for modification C:\Windows\nEwb0Rn.exe 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe WINLOGON.EXE File created C:\Windows\nEwb0Rn.exe WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe WINLOGON.EXE File created C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File created C:\Windows\nEwb0Rn.exe WINLOGON.EXE File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe SERVICES.EXE File created C:\Windows\nEwb0Rn.exe 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Animate" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Inanimate" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Inanimate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Inanimate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Inanimate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Inanimate" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Animate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Animate" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Inanimate" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Animate" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Inanimate" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Animate" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Inanimate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Animate" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Animate" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" SERVICES.EXE -
Modifies data under HKEY_USERS 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ nEwb0Rn.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 1812 nEwb0Rn.exe 3380 WINLOGON.EXE 2376 SERVICES.EXE 3356 WishfulThinking.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 224 nEwb0Rn.exe 3712 WishfulThinking.exe 2200 WishfulThinking.exe 3864 WINLOGON.EXE 1760 WINLOGON.EXE 2376 SERVICES.EXE 3740 SERVICES.EXE 2156 nEwb0Rn.exe 4848 WishfulThinking.exe 3804 nEwb0Rn.exe 1812 nEwb0Rn.exe 3648 nEwb0Rn.exe 3356 WishfulThinking.exe 4180 WishfulThinking.exe 3380 WINLOGON.EXE 2152 WINLOGON.EXE 3236 SERVICES.EXE 2560 SERVICES.EXE 3392 nEwb0Rn.exe 1408 nEwb0Rn.exe 3184 WishfulThinking.exe 3332 WishfulThinking.exe 5104 WINLOGON.EXE 3980 nEwb0Rn.exe 4472 WishfulThinking.exe 4644 WINLOGON.EXE 4428 SERVICES.EXE 2724 WINLOGON.EXE 220 SERVICES.EXE 3244 SERVICES.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 224 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 91 PID 1616 wrote to memory of 224 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 91 PID 1616 wrote to memory of 224 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 91 PID 1616 wrote to memory of 3712 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 92 PID 1616 wrote to memory of 3712 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 92 PID 1616 wrote to memory of 3712 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 92 PID 224 wrote to memory of 4584 224 nEwb0Rn.exe 93 PID 224 wrote to memory of 4584 224 nEwb0Rn.exe 93 PID 224 wrote to memory of 4584 224 nEwb0Rn.exe 93 PID 224 wrote to memory of 2200 224 nEwb0Rn.exe 94 PID 224 wrote to memory of 2200 224 nEwb0Rn.exe 94 PID 224 wrote to memory of 2200 224 nEwb0Rn.exe 94 PID 224 wrote to memory of 1760 224 nEwb0Rn.exe 95 PID 224 wrote to memory of 1760 224 nEwb0Rn.exe 95 PID 224 wrote to memory of 1760 224 nEwb0Rn.exe 95 PID 1616 wrote to memory of 3864 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 96 PID 1616 wrote to memory of 3864 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 96 PID 1616 wrote to memory of 3864 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 96 PID 1616 wrote to memory of 3740 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 98 PID 1616 wrote to memory of 3740 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 98 PID 1616 wrote to memory of 3740 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 98 PID 224 wrote to memory of 2376 224 nEwb0Rn.exe 97 PID 224 wrote to memory of 2376 224 nEwb0Rn.exe 97 PID 224 wrote to memory of 2376 224 nEwb0Rn.exe 97 PID 3712 wrote to memory of 2156 3712 WishfulThinking.exe 99 PID 3712 wrote to memory of 2156 3712 WishfulThinking.exe 99 PID 3712 wrote to memory of 2156 3712 WishfulThinking.exe 99 PID 3712 wrote to memory of 4848 3712 WishfulThinking.exe 100 PID 3712 wrote to memory of 4848 3712 WishfulThinking.exe 100 PID 3712 wrote to memory of 4848 3712 WishfulThinking.exe 100 PID 3864 wrote to memory of 3804 3864 WINLOGON.EXE 101 PID 3864 wrote to memory of 3804 3864 WINLOGON.EXE 101 PID 3864 wrote to memory of 3804 3864 WINLOGON.EXE 101 PID 2376 wrote to memory of 1812 2376 SERVICES.EXE 102 PID 2376 wrote to memory of 1812 2376 SERVICES.EXE 102 PID 2376 wrote to memory of 1812 2376 SERVICES.EXE 102 PID 1616 wrote to memory of 3648 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 103 PID 1616 wrote to memory of 3648 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 103 PID 1616 wrote to memory of 3648 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 103 PID 2376 wrote to memory of 3356 2376 SERVICES.EXE 104 PID 2376 wrote to memory of 3356 2376 SERVICES.EXE 104 PID 2376 wrote to memory of 3356 2376 SERVICES.EXE 104 PID 1616 wrote to memory of 4180 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 105 PID 1616 wrote to memory of 4180 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 105 PID 1616 wrote to memory of 4180 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 105 PID 2376 wrote to memory of 3380 2376 SERVICES.EXE 106 PID 2376 wrote to memory of 3380 2376 SERVICES.EXE 106 PID 2376 wrote to memory of 3380 2376 SERVICES.EXE 106 PID 1616 wrote to memory of 2152 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 107 PID 1616 wrote to memory of 2152 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 107 PID 1616 wrote to memory of 2152 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 107 PID 1616 wrote to memory of 3236 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 108 PID 1616 wrote to memory of 3236 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 108 PID 1616 wrote to memory of 3236 1616 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe 108 PID 2376 wrote to memory of 2560 2376 SERVICES.EXE 109 PID 2376 wrote to memory of 2560 2376 SERVICES.EXE 109 PID 2376 wrote to memory of 2560 2376 SERVICES.EXE 109 PID 1812 wrote to memory of 3392 1812 nEwb0Rn.exe 110 PID 1812 wrote to memory of 3392 1812 nEwb0Rn.exe 110 PID 1812 wrote to memory of 3392 1812 nEwb0Rn.exe 110 PID 3356 wrote to memory of 1408 3356 WishfulThinking.exe 111 PID 3356 wrote to memory of 1408 3356 WishfulThinking.exe 111 PID 3356 wrote to memory of 1408 3356 WishfulThinking.exe 111 PID 1812 wrote to memory of 3184 1812 nEwb0Rn.exe 112 -
System policy modification 1 TTPs 63 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" 0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nEwb0Rn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe"C:\Users\Admin\AppData\Local\Temp\0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1616 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:224 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
PID:4584
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1760
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2376 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1812 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3392
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4428
-
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3356 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3332
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3244
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3380 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3980
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4472
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:220
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2560
-
-
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3712 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4848
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3864 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3804
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3740
-
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3648
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4180
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3924 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:3704
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
10Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD511702598235037a3ae8a60b1aa56263f
SHA157a0f22b04e7171c2a1c046fe929f26147c3710f
SHA256e3539aa9ba6b17a29ff41c396971343a20f66a62a9bb6d205f78cc44d7bac79d
SHA512163d6e78ce31dccd21c6038245cb91cb993588987584ab1e08ce78598b930862d931157892f78c750fda7e79644c13f2e3676569308b1e189320490bcb81fd9b
-
Filesize
52KB
MD53729ba335b59870bf191517a13e0ed10
SHA183fad0c955b3e95b84d42fd5c316590d81b98562
SHA25632d1ab87c9bd8c8a9fbcbd26c1a39ee5a885f73d49b3fdc242cba751f705159a
SHA51249efe17807caf1aa89fc28f40936a939c1044e92ce2851d865c619c395b5f9e6faa27edce0bd54a27dc7c5d05275ad5812ebb0937501e9d913dae3f6b1dcac86
-
Filesize
52KB
MD5e7ba1286892f3bb1e41e650b900fbfe8
SHA10e5d0c52650bd96cb9f1ca51b2df0974f9b0c5b1
SHA256eb30cdcf43f23b9b47b5a326d0128d8fe2ceba41deada08244ff97276c37da30
SHA512c440e7800f9e91cbcd88fc89904af5a41ac3a1b23930394bab3902887d327488e61111fa9c011d73a82a090a0821ed5b51e73ac0cb7c852e228eb1ff954d74da
-
Filesize
52KB
MD5b9a57d20cd3f0241174267bbb1579be7
SHA1bfb0232e3cce613449ae76845ce3b3a8f3b59b31
SHA256178a93f0707dc6e8c7801819fffc846a2a396b82cee3898845b2c2e2f5be7501
SHA512b25021b5d34773f7b155cfaae7e466945d77b5ee10875035695b9b7b1042dea992da057ad1815da08a7e3915ef3e2a6b50eff459b6030350a634dce08b479eb5
-
Filesize
52KB
MD5eb8acdf6a9ebaa9967691d0b0011c69d
SHA1a178db15f5674b7c99a333bc64f2a21bfcc3b38b
SHA2568b951ed663807ec21716dff0de01fac57a4da746262c1b43493122dc9540d4e5
SHA51224215bc99bf37edbc665a034ff4eaf5bb7ee51c2822ac46d96d680871826fb110e71568b15bdbb8d1444b5f8022b1696caa754880524d31dfd81aa25e58e6798
-
Filesize
52KB
MD59826f90ed13c329834d6cd34624f288a
SHA1fd4824c94d9de24854b851a263675049e738cb03
SHA256eddb2877853fbaa8375539fcb429a50c671b4aa240aad0111b8c8517d8bc9701
SHA512dc1c6ce2b40853e53e9d027c054885f67e9887f0c1404b8268214eb930b5885fb9c7b35631bfa8e19c89d4b2b41c861bbc50d46e5aad69a4a2b472ba78623cf3
-
Filesize
52KB
MD5dbc3e8dcad4c57448bc44abac228e54b
SHA14cee80b7b522ba4ac31d2b1b713ccf68418e6598
SHA2569ec0541b77689064f614849f46087997ed1089808ad96c8034067b1f216e5484
SHA512e4aac6ef152dcfc014e44a76806293fb5fa6678ebc2d350c8c22d0887e0a991814dab187604730d54d72608640cbefdd13c22b63a5474b916528faf71c38bc1d
-
Filesize
52KB
MD50b0545e693d4fd68cc606efe88d5e0b2
SHA1e79c5308687b3244981586ddf2b5e94cadfab2af
SHA256c782592af0a971c0b89d8a2218f434c2d041f9ee5cb762724fc5f84970d866f3
SHA512a178e0d677d91c80e6cfd9582024aa683589fbf40ebd460dd1434b779c0e5fc0bfb14954746fd5bcda3933d9ba6ec937eda92524d61b6827be6617e4e30884dc
-
Filesize
52KB
MD52cd285151c06274a9cbec89f6a97e5a7
SHA1825592195c444e5642a7407c8147d372abf1b0fb
SHA2560fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658
SHA512fef1729c20e83ba465f3a6e7c45cf12d7decac722c078e6f2cc5163da6a7d37c6e9bca105274e437a8e0c39ea84aa57a451015804cbc18269c06e1b20474a6ee
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
52KB
MD5b11af912697a2adfad8acbd14676f9eb
SHA14dec0833866a6726c3ccfab9208b20e274ade127
SHA256e057aa61b422a631dafc4736bef3d9bb14d3468b3e2118c058dff5d26acb405b
SHA5121becf76a88d384e17be3703ec072fe6d8ab43ec36e3966b3be52ea4b6890d49729e68d39069a05204fc939b2cf76174ff550ae59921acae2168617e58df9ebbd
-
Filesize
52KB
MD5dc091abf98f783293d38f222b4e28883
SHA1f6a6d2e2cce9374c36210c340a49dceace65327c
SHA2563cc14a986c58de975699bfd536a1ed22eb5682dee9a638bf1fc2227d45386936
SHA5120d51d5b6ccb26036ffa7dcb256c336f64d8eaa681d620ac2e0e8be98f02bc758600bb2d2a26514ca8140a334050204710142ed942d36d1316c96b37b5dfca564
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
Filesize
52KB
MD56b7eeda6cae0ad0e05fdf4d71098bb56
SHA162fb3275e2b47b4a1d3e00a0feaa10a3ad894778
SHA256d8fb0018b0e877b49403fcd6e4f68d83eed210a420fae729fc4939bec5e05cc6
SHA512b84d7dec0ce5676d8495f114c55843c5d06ca6c8b3c57014be76159721cc82d28bcc33a29d159fdf07f42720765b392346160550db5d6335fa67aeff7eb0ac0c
-
Filesize
52KB
MD5849907c9f1b64c6e71d485f2b023b89f
SHA102c1489a17e17894745fa5a310e9188bffa30b40
SHA256422fab8bdb1d26c7e1766423007a20236a169f0ddce57afb0de7c6f08001474f
SHA512a8383f65b5a0a0762e3c8fdb095dd869665addabefd530cfea73be6a7722b88f55f10e587611ef2033713468cb750ca940f17a54ba9e9a559cc1bffdbc3268df
-
Filesize
52KB
MD597cc10a65df157780e7c37c6a35a09a4
SHA19d6c079b3b196fc13fdcceea3c04f6de2304cdc5
SHA25664feff78f789a06f87101d1804ad69814b689b8c5b9c91b1f2822b15e6c92421
SHA512717ef582ba508bf24ce606559bdd8c2a93a35a8889dc4cea85f98753de6517361116e0e09cb2baab9a95cf0cf0678edee9822572ee4c19db93010c43a9f01cb6
-
Filesize
222B
MD5b78e2c99b0e66f6f6accbebdaa4d8442
SHA1a546aaed8820b44437538600deba9d08a4a11ddc
SHA25659e9ccbcb65a03c7965b93c758e4562ff8ddd5500b8ec1b66811f9b62744b2ca
SHA51282d09d87f8dffbc9c261b8d9dc9437350638197430ecee513bf1803ad18db3b939c56141e970d0d9523c93befebd1e76743b860d9dfd2072280becdf5aa2fc6e
-
Filesize
640B
MD55d142e7978321fde49abd9a068b64d97
SHA170020fcf7f3d6dafb6c8cd7a55395196a487bef4
SHA256fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061
SHA5122351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9